Adds proper handling of primitive types

lukaszlenart · lukaszlenart · commit fbc780e779d9 · 2018-06-20T11:47:53.000+02:00
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -133,15 +133,18 @@ protected boolean isPackageExcluded(Package targetPackage, Package memberPackage
             LOG.warn("The use of the default (unnamed) package is discouraged!");
         }
         
-        final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
-        final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
+        String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
+        String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
 
         for (Pattern pattern : excludedPackageNamePatterns) {
             if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) {
                 return true;
             }
         }
 
+        targetPackageName = targetPackageName + ".";
+        memberPackageName = memberPackageName + ".";
+        
         for (String packageName: excludedPackageNames) {
             if (targetPackageName.startsWith(packageName) || targetPackageName.equals(packageName)
                     || memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName)) {
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
@@ -60,9 +60,8 @@
     <!-- this is simpler version of the above used with string comparison -->
     <constant name="struts.excludedPackageNames"
               value="
-                java.lang.,
                 ognl.,
-                javax,
+                javax.,
                 freemarker.core.,
                 freemarker.template.,
                 freemarker.ext.rhino.,
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -22,7 +22,6 @@
 import junit.framework.TestCase;
 
 import java.lang.reflect.Member;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -62,7 +61,7 @@ public void testClassExclusion() throws Exception {
         String propertyName = "stringField";
         Member member = FooBar.class.getDeclaredMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1));
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(FooBar.class);
         sma.setExcludedClasses(excluded);
 
@@ -108,7 +107,7 @@ public void testInterfaceInheritanceExclusion() throws Exception {
         String propertyName = "barLogic";
         Member member = BarInterface.class.getMethod(propertyName);
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(BarInterface.class);
         sma.setExcludedClasses(excluded);
 
@@ -126,7 +125,7 @@ public void testMiddleOfInheritanceExclusion1() throws Exception {
         String propertyName = "fooLogic";
         Member member = FooBar.class.getMethod(propertyName);
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(BarInterface.class);
         sma.setExcludedClasses(excluded);
 
@@ -158,7 +157,7 @@ public void testMiddleOfInheritanceExclusion4() throws Exception {
         String propertyName = "barLogic";
         Member member = BarInterface.class.getMethod(propertyName);
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(FooBarInterface.class);
         sma.setExcludedClasses(excluded);
 
@@ -173,7 +172,7 @@ public void testPackageExclusion() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
-        Set<Pattern> excluded = new HashSet<Pattern>();
+        Set<Pattern> excluded = new HashSet<>();
         excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
         sma.setExcludedPackageNamePatterns(excluded);
 
@@ -191,7 +190,7 @@ public void testPackageNameExclusion() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
-        Set<String> excluded = new HashSet<String>();
+        Set<String> excluded = new HashSet<>();
         excluded.add(FooBar.class.getPackage().getName());
         sma.setExcludedPackageNames(excluded);
 
@@ -205,11 +204,11 @@ public void testPackageNameExclusion() throws Exception {
         assertFalse("stringField is accessible!", actual);
     }
 
-    public void testDefaultPackageExclusion() throws Exception {
+    public void testDefaultPackageExclusion() {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
-        Set<Pattern> excluded = new HashSet<Pattern>();
+        Set<Pattern> excluded = new HashSet<>();
         excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
         sma.setExcludedPackageNamePatterns(excluded);
         
@@ -220,11 +219,11 @@ public void testDefaultPackageExclusion() throws Exception {
         assertFalse("default package is excluded!", actual);
     }
     
-    public void testDefaultPackageExclusion2() throws Exception {
+    public void testDefaultPackageExclusion2() {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
-        Set<Pattern> excluded = new HashSet<Pattern>();
+        Set<Pattern> excluded = new HashSet<>();
         excluded.add(Pattern.compile("^$"));
         sma.setExcludedPackageNamePatterns(excluded);
         
@@ -317,10 +316,10 @@ public void testAccessPrimitiveInt() throws Exception {
     public void testAccessPrimitiveDoubleWithNames() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax"));
+        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("ognl.,javax."));
 
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(Object.class);
         excluded.add(Runtime.class);
         excluded.add(System.class);
@@ -369,7 +368,7 @@ public void testAccessPrimitiveDoubleWithNames() throws Exception {
     public void testAccessPrimitiveDoubleWithPackageRegExs() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        Set<Pattern> patterns = new HashSet<Pattern>();
+        Set<Pattern> patterns = new HashSet<>();
         patterns.add(Pattern.compile("^java\\.lang\\..*"));
         sma.setExcludedPackageNamePatterns(patterns);
 
@@ -386,7 +385,7 @@ public void testAccessPrimitiveDoubleWithPackageRegExs() throws Exception {
     public void testAccessMemberAccessIsAccessible() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(ognl.MemberAccess.class);
         sma.setExcludedClasses(excluded);
 
@@ -404,7 +403,7 @@ public void testAccessMemberAccessIsAccessible() throws Exception {
     public void testAccessMemberAccessIsBlocked() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(SecurityMemberAccess.class);
         sma.setExcludedClasses(excluded);
 
@@ -419,6 +418,21 @@ public void testAccessMemberAccessIsBlocked() throws Exception {
         assertFalse(accessible);
     }
 
+    public void testPackageNameExclusionAsCommaDelimited() {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+
+        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang."));
+
+        // when
+        boolean actual = sma.isPackageExcluded(String.class.getPackage(), null);
+        actual &= sma.isPackageExcluded(null, String.class.getPackage());
+
+        // then
+        assertTrue("package java.lang. is accessible!", actual);
+    }
+
 }
 
 class FooBar implements FooBarInterface {

Original file line number	Diff line number	Diff line change
`@@ -133,15 +133,18 @@ protected boolean isPackageExcluded(Package targetPackage, Package memberPackage`
`133`	`133`	`LOG.warn("The use of the default (unnamed) package is discouraged!");`
`134`	`134`	`}`
`135`	`135`
`136`		`- final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();`
`137`		`- final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();`
	`136`	`+ String targetPackageName = targetPackage == null ? "" : targetPackage.getName();`
	`137`	`+ String memberPackageName = memberPackage == null ? "" : memberPackage.getName();`
`138`	`138`
`139`	`139`	`for (Pattern pattern : excludedPackageNamePatterns) {`
`140`	`140`	`if (pattern.matcher(targetPackageName).matches() \|\| pattern.matcher(memberPackageName).matches()) {`
`141`	`141`	`return true;`
`142`	`142`	`}`
`143`	`143`	`}`
`144`	`144`
	`145`	`+ targetPackageName = targetPackageName + ".";`
	`146`	`+ memberPackageName = memberPackageName + ".";`
	`147`	`+`
`145`	`148`	`for (String packageName: excludedPackageNames) {`
`146`	`149`	`if (targetPackageName.startsWith(packageName) \|\| targetPackageName.equals(packageName)`
`147`	`150`	`\|\| memberPackageName.startsWith(packageName) \|\| memberPackageName.equals(packageName)) {`