From 8954ad61c14e79ffa3d91d7e84cd173b9dfa9054 Mon Sep 17 00:00:00 2001
From: Kusal Kithul-Godage <git@kusal.io>
Date: Tue, 2 Jan 2024 15:44:59 +1100
Subject: [PATCH] WW-5364 Add String.class to system allowlist

---
 .../opensymphony/xwork2/ognl/SecurityMemberAccess.java   | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 1ef638dddb..0cd5bf7896 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -60,17 +60,18 @@ public class SecurityMemberAccess implements MemberAccess {
     private static final Logger LOG = LogManager.getLogger(SecurityMemberAccess.class);
 
     private static final Set<String> ALLOWLIST_REQUIRED_PACKAGES = unmodifiableSet(new HashSet<>(Arrays.asList(
+            "com.opensymphony.xwork2.validator.validators",
             "org.apache.struts2.components",
-            "org.apache.struts2.views.jsp",
-            "com.opensymphony.xwork2.validator.validators"
+            "org.apache.struts2.views.jsp"
     )));
 
     private static final Set<Class<?>> ALLOWLIST_REQUIRED_CLASSES = unmodifiableSet(new HashSet<>(Arrays.asList(
             java.lang.Enum.class,
+            java.lang.String.class,
             java.util.Date.class,
+            java.util.HashMap.class,
             java.util.Map.class,
-            java.util.Map.Entry.class,
-            java.util.HashMap.class
+            java.util.Map.Entry.class
     )));
 
     private final ProviderAllowlist providerAllowlist;