From b7b5bff13afc1a5b8dd818d0fbe8b9f64e14e62c Mon Sep 17 00:00:00 2001 From: Kusal Kithul-Godage Date: Sat, 13 Jul 2024 23:59:16 +1000 Subject: [PATCH] WW-5442 Enforce allowlist for OgnlReflectionProvider --- .../providers/XmlDocConfigurationProvider.java | 12 ++++++------ .../java/com/opensymphony/xwork2/ognl/OgnlUtil.java | 11 +---------- 2 files changed, 7 insertions(+), 16 deletions(-) diff --git a/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java b/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java index 6de2024609..5c1d1f395c 100644 --- a/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java +++ b/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java @@ -109,6 +109,11 @@ public void setValueSubstitutor(ValueSubstitutor valueSubstitutor) { this.valueSubstitutor = valueSubstitutor; } + @Inject + public void setProviderAllowlist(ProviderAllowlist providerAllowlist) { + this.providerAllowlist = providerAllowlist; + } + public XmlDocConfigurationProvider(Document... documents) { this.documents = Arrays.asList(documents); } @@ -135,11 +140,6 @@ public void init(Configuration configuration) { this.configuration = configuration; } - private void registerAllowlist() { - providerAllowlist = configuration.getContainer().getInstance(ProviderAllowlist.class); - providerAllowlist.registerAllowlist(this, allowlistClasses); - } - @Override public void destroy() { if (providerAllowlist != null) { @@ -152,6 +152,7 @@ protected Class allowAndLoadClass(String className) throws ClassNotFoundExcep allowlistClasses.add(clazz); allowlistClasses.addAll(ClassUtils.getAllSuperclasses(clazz)); allowlistClasses.addAll(ClassUtils.getAllInterfaces(clazz)); + providerAllowlist.registerAllowlist(this, allowlistClasses); return clazz; } @@ -333,7 +334,6 @@ public void loadPackages() throws ConfigurationException { } declaredPackages.clear(); - registerAllowlist(); configuration = null; } diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java index 78cada96df..52475b8d59 100644 --- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java +++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java @@ -859,11 +859,6 @@ protected Map createDefaultContext(Object root) { return createDefaultContext(root, null); } - /** - * Note that the allowlist capability is not enforced by the {@link OgnlContext} returned by this method. Currently, - * this context is only leveraged by some public methods on {@link OgnlUtil} which are called by - * {@link OgnlReflectionProvider}. - */ protected Map createDefaultContext(Object root, ClassResolver resolver) { if (resolver == null) { resolver = container.getInstance(RootAccessor.class); @@ -871,11 +866,7 @@ protected Map createDefaultContext(Object root, ClassResolver re throw new IllegalStateException("Cannot find ClassResolver"); } } - - SecurityMemberAccess memberAccess = container.getInstance(SecurityMemberAccess.class); - memberAccess.useEnforceAllowlistEnabled(Boolean.FALSE.toString()); - - return Ognl.createDefaultContext(root, memberAccess, resolver, defaultConverter); + return Ognl.createDefaultContext(root, container.getInstance(SecurityMemberAccess.class), resolver, defaultConverter); } @FunctionalInterface