Skip to content

WW-5350 Implement OGNL Allowlist capability #781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kusalk merged 2 commits into from
Nov 14, 2023
Merged

WW-5350 Implement OGNL Allowlist capability #781

kusalk merged 2 commits into from
Nov 14, 2023
+203 −17

Conversation

@kusalk
Copy link
Member

@kusalk kusalk commented Nov 5, 2023

WW-5350

Implementation for strict OGNL allowlist feature. It is up to the application to determine which classes/packages need to be allowlisted. The exclusion list will still take precedence (classes on the exclusion list cannot be allowlisted).

I hope to clean this implementation up and both OgnlUtil and SecurityMemberAccess up as part of WW-5343.

@kusalk kusalk marked this pull request as draft November 5, 2023 12:41
Base automatically changed from WW-5350-allowlist to master November 12, 2023 08:56
@kusalk kusalk marked this pull request as ready for review November 12, 2023 09:02
@kusalk kusalk requested a review from lukaszlenart November 12, 2023 09:02
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 12, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 2 Code Smells

77.9% 77.9% Coverage
0.0% 0.0% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@lukaszlenart
Copy link
Member

lukaszlenart commented Nov 12, 2023

It would be good to document this new future to more visible to the users. Could you also add a section about this new allow list here?

@kusalk
Copy link
Member Author

kusalk commented Nov 12, 2023

@lukaszlenart Yep I'll add something about the OgnlGuard too

@kusalk
Copy link
Member Author

kusalk commented Nov 14, 2023

@lukaszlenart Going to merge this - but I haven't forgotten about the documentation - I will throw up a PR covering all new capabilities as soon as I've finished #791 :)

@kusalk kusalk merged commit 9f45983 into master Nov 14, 2023
@kusalk kusalk deleted the WW-5350-allowlist-2 branch November 14, 2023 13:39
@kusalk kusalk mentioned this pull request Jan 9, 2024
Merged
@lukaszlenart lukaszlenart mentioned this pull request May 12, 2024
Merged
copybara-service bot pushed a commit to google/bughunters that referenced this pull request Dec 10, 2024
@copybara-github
Patch Rewards Program submission for apache/struts#781
5c81264 
PiperOrigin-RevId: 704484456
@copybara-service copybara-service bot mentioned this pull request Dec 10, 2024
Merged
copybara-service bot pushed a commit to google/bughunters that referenced this pull request Dec 10, 2024
@copybara-github
Patch Rewards Program submission for apache/struts#781
08e6c56 
PiperOrigin-RevId: 704484456
copybara-service bot pushed a commit to google/bughunters that referenced this pull request Dec 11, 2024
@copybara-github
Patch Rewards Program submission for apache/struts#781
d46b7b6 
PiperOrigin-RevId: 704484456
copybara-service bot pushed a commit to google/bughunters that referenced this pull request Dec 11, 2024
@copybara-github
Patch Rewards Program submission for apache/struts#781
0f469c8 
PiperOrigin-RevId: 705145304
@Gowza68
Copy link

Gowza68 commented Sep 1, 2025

  • [ ]

@quansat775-ux
Copy link

quansat775-ux commented Jan 5, 2026

#1511

@quansat775-ux
Copy link

quansat775-ux commented Jan 5, 2026

#1509

asrar-mared
asrar-mared reviewed Jan 16, 2026
View reviewed changes
Copy link

@asrar-mared asrar-mared left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

الملفات المتغيره

core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java

private Container container;
private boolean allowStaticFieldAccess = true;
private boolean disallowProxyMemberAccess;
Copy link

@asrar-mared asrar-mared Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

variable files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukaszlenart lukaszlenart lukaszlenart approved these changes

+2 more reviewers

@asrar-mared asrar-mared asrar-mared left review comments

@Gowza68 Gowza68 Gowza68 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kusalk @lukaszlenart @Gowza68 @quansat775-ux @asrar-mared