Examples with StrutsDefaultConfigurationProvider com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider used on opensource projects

Search in sources :

Example 6 with StrutsDefaultConfigurationProvider

use of com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider in project struts by apache.

the class XWorkTestCaseHelper method setUp.

public static ConfigurationManager setUp() throws Exception {
    ConfigurationManager configurationManager = new ConfigurationManager(Container.DEFAULT_NAME);
    configurationManager.addContainerProvider(new StrutsDefaultConfigurationProvider());
    Configuration config = configurationManager.getConfiguration();
    Container container = config.getContainer();
    // Reset the value stack
    ValueStack stack = container.getInstance(ValueStackFactory.class).createValueStack();
    stack.getActionContext().withContainer(container).withValueStack(stack).bind();
    return configurationManager;
}
Also used : Container(com.opensymphony.xwork2.inject.Container) StrutsDefaultConfigurationProvider(com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider)

Example 7 with StrutsDefaultConfigurationProvider

use of com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider in project struts by apache.

the class ValidateAction method testInsecureParameters.

public void testInsecureParameters() throws Exception {
    // given
    loadConfigurationProviders(new StrutsDefaultConfigurationProvider(), new StrutsXmlConfigurationProvider("xwork-param-test.xml"));
    final Map<String, Object> params = new HashMap<String, Object>() {

        {
            put("name", "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new " + "java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), " + "@java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)");
            put("top['name'](0)", "true");
            put("expression", "#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#resp.println(#req.getRealPath('/')),#resp.close()");
        }
    };
    ParametersInterceptor pi = new ParametersInterceptor();
    container.inject(pi);
    ValueStack vs = ActionContext.getContext().getValueStack();
    // when
    ValidateAction action = new ValidateAction();
    pi.setParameters(action, vs, HttpParameters.create(params).build());
    // then
    assertEquals(3, action.getActionMessages().size());
    String msg1 = action.getActionMessage(0);
    String msg2 = action.getActionMessage(1);
    String msg3 = action.getActionMessage(2);
    assertEquals("Error setting expression 'expression' with value '#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#resp.println(#req.getRealPath('/')),#resp.close()'", msg1);
    assertEquals("Error setting expression 'name' with value '(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)'", msg2);
    assertEquals("Error setting expression 'top['name'](0)' with value 'true'", msg3);
    assertNull(action.getName());
}
Also used : StrutsXmlConfigurationProvider(org.apache.struts2.config.StrutsXmlConfigurationProvider) OgnlValueStack(com.opensymphony.xwork2.ognl.OgnlValueStack) ValueStack(com.opensymphony.xwork2.util.ValueStack) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) StrutsDefaultConfigurationProvider(com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider)

Example 8 with StrutsDefaultConfigurationProvider

use of com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider in project struts by apache.

the class ValidateAction method testClassPollutionBlockedByOgnl.

public void testClassPollutionBlockedByOgnl() throws Exception {
    // given
    final String pollution1 = "class.classLoader.jarPath";
    final String pollution2 = "model.class.classLoader.jarPath";
    final String pollution3 = "class.classLoader.defaultAssertionStatus";
    loadConfigurationProviders(new StrutsDefaultConfigurationProvider(), new StrutsXmlConfigurationProvider("xwork-class-param-test.xml"));
    final Map<String, Object> params = new HashMap<String, Object>() {

        {
            put(pollution1, "bad");
            put(pollution2, "very bad");
            put(pollution3, true);
        }
    };
    final Map<String, Boolean> excluded = new HashMap<>();
    ParametersInterceptor pi = new ParametersInterceptor() {

        @Override
        protected boolean isExcluded(String paramName) {
            boolean result = super.isExcluded(paramName);
            excluded.put(paramName, result);
            return result;
        }
    };
    container.inject(pi);
    ValueStack vs = ActionContext.getContext().getValueStack();
    // when
    ValidateAction action = new ValidateAction();
    pi.setParameters(action, vs, HttpParameters.create(params).build());
    // then
    assertEquals(3, action.getActionMessages().size());
    String msg1 = action.getActionMessage(0);
    String msg2 = action.getActionMessage(1);
    String msg3 = action.getActionMessage(2);
    assertEquals("Error setting expression 'class.classLoader.defaultAssertionStatus' with value 'true'", msg1);
    assertEquals("Error setting expression 'class.classLoader.jarPath' with value 'bad'", msg2);
    assertEquals("Error setting expression 'model.class.classLoader.jarPath' with value 'very bad'", msg3);
    assertFalse(excluded.get(pollution1));
    assertFalse(excluded.get(pollution2));
    assertFalse(excluded.get(pollution3));
}
Also used : StrutsXmlConfigurationProvider(org.apache.struts2.config.StrutsXmlConfigurationProvider) OgnlValueStack(com.opensymphony.xwork2.ognl.OgnlValueStack) ValueStack(com.opensymphony.xwork2.util.ValueStack) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) StrutsDefaultConfigurationProvider(com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider)

Example 9 with StrutsDefaultConfigurationProvider

use of com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider in project struts by apache.

the class ValidateAction method testArrayClassPollutionBlockedByPattern.

public void testArrayClassPollutionBlockedByPattern() throws Exception {
    // given
    final String pollution1 = "model.class.classLoader.jarPath";
    final String pollution2 = "model['class']['classLoader']['jarPath']";
    final String pollution3 = "model[\"class\"]['classLoader']['jarPath']";
    final String pollution4 = "class.classLoader.jarPath";
    final String pollution5 = "class['classLoader']['jarPath']";
    final String pollution6 = "class[\"classLoader\"]['jarPath']";
    loadConfigurationProviders(new StrutsDefaultConfigurationProvider(), new StrutsXmlConfigurationProvider("xwork-param-test.xml"));
    final Map<String, Object> params = new HashMap<String, Object>() {

        {
            put(pollution1, "bad");
            put(pollution2, "bad");
            put(pollution3, "bad");
            put(pollution4, "bad");
            put(pollution5, "bad");
            put(pollution6, "bad");
        }
    };
    final Map<String, Boolean> excluded = new HashMap<String, Boolean>();
    ParametersInterceptor pi = new ParametersInterceptor() {

        @Override
        protected boolean isExcluded(String paramName) {
            boolean result = super.isExcluded(paramName);
            excluded.put(paramName, result);
            return result;
        }
    };
    container.inject(pi);
    ValueStack vs = ActionContext.getContext().getValueStack();
    // when
    ValidateAction action = new ValidateAction();
    pi.setParameters(action, vs, HttpParameters.create(params).build());
    // then
    assertEquals(0, action.getActionMessages().size());
    assertTrue(excluded.get(pollution1));
    assertTrue(excluded.get(pollution2));
    assertTrue(excluded.get(pollution3));
    assertTrue(excluded.get(pollution4));
    assertTrue(excluded.get(pollution5));
    assertTrue(excluded.get(pollution6));
}
Also used : StrutsXmlConfigurationProvider(org.apache.struts2.config.StrutsXmlConfigurationProvider) OgnlValueStack(com.opensymphony.xwork2.ognl.OgnlValueStack) ValueStack(com.opensymphony.xwork2.util.ValueStack) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) StrutsDefaultConfigurationProvider(com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider)

Example 10 with StrutsDefaultConfigurationProvider

use of com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider in project struts by apache.

the class ValidateAction method testClassPollutionBlockedByPattern.

public void testClassPollutionBlockedByPattern() throws Exception {
    // given
    final String pollution1 = "class.classLoader.jarPath";
    final String pollution2 = "model.class.classLoader.jarPath";
    loadConfigurationProviders(new StrutsDefaultConfigurationProvider(), new StrutsXmlConfigurationProvider("xwork-param-test.xml"));
    final Map<String, Object> params = new HashMap<String, Object>() {

        {
            put(pollution1, "bad");
            put(pollution2, "very bad");
        }
    };
    final Map<String, Boolean> excluded = new HashMap<>();
    ParametersInterceptor pi = new ParametersInterceptor() {

        @Override
        protected boolean isExcluded(String paramName) {
            boolean result = super.isExcluded(paramName);
            excluded.put(paramName, result);
            return result;
        }
    };
    container.inject(pi);
    ValueStack vs = ActionContext.getContext().getValueStack();
    // when
    ValidateAction action = new ValidateAction();
    pi.setParameters(action, vs, HttpParameters.create(params).build());
    // then
    assertEquals(0, action.getActionMessages().size());
    assertTrue(excluded.get(pollution1));
    assertTrue(excluded.get(pollution2));
}
Also used : StrutsXmlConfigurationProvider(org.apache.struts2.config.StrutsXmlConfigurationProvider) OgnlValueStack(com.opensymphony.xwork2.ognl.OgnlValueStack) ValueStack(com.opensymphony.xwork2.util.ValueStack) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) StrutsDefaultConfigurationProvider(com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider)

Aggregations

StrutsDefaultConfigurationProvider (com.opensymphony.xwork2.config.providers.StrutsDefaultConfigurationProvider)8 StrutsXmlConfigurationProvider (org.apache.struts2.config.StrutsXmlConfigurationProvider)6 OgnlValueStack (com.opensymphony.xwork2.ognl.OgnlValueStack)4 ValueStack (com.opensymphony.xwork2.util.ValueStack)4 HashMap (java.util.HashMap)4 LinkedHashMap (java.util.LinkedHashMap)4 ActionConfig (com.opensymphony.xwork2.config.entities.ActionConfig)3 ContainerProvider (com.opensymphony.xwork2.config.ContainerProvider)2 RuntimeConfiguration (com.opensymphony.xwork2.config.RuntimeConfiguration)2 InterceptorMapping (com.opensymphony.xwork2.config.entities.InterceptorMapping)2 DefaultConfiguration (com.opensymphony.xwork2.config.impl.DefaultConfiguration)2 Container (com.opensymphony.xwork2.inject.Container)2 DefaultFileManager (com.opensymphony.xwork2.util.fs.DefaultFileManager)2 DefaultFileManagerFactory (com.opensymphony.xwork2.util.fs.DefaultFileManagerFactory)2 LocatableProperties (com.opensymphony.xwork2.util.location.LocatableProperties)2 Mock (com.mockobjects.dynamic.Mock)1 Configuration (com.opensymphony.xwork2.config.Configuration)1 ConfigurationManager (com.opensymphony.xwork2.config.ConfigurationManager)1 ConfigurationProvider (com.opensymphony.xwork2.config.ConfigurationProvider)1 ResultConfig (com.opensymphony.xwork2.config.entities.ResultConfig)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial