Merge master into 7-0-x branch - 2024-02-01

.github/workflows/scorecards-analysis.yaml

@@ -58,7 +58,7 @@ jobs:
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595    # 4.1.0
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8    # 4.3.0
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/sonar.yml

@@ -32,6 +32,7 @@ jobs:
   sonarcloud:
     name: Scan
     runs-on: ubuntu-latest
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     steps:
       - uses: actions/checkout@v4
         with:

Jenkinsfile

@@ -67,7 +67,7 @@ pipeline {
         MAVEN_OPTS = "-Xmx1024m"
       }
       stages {
-        stage('Test') {
+        stage('Test & Coverage') {
           steps {
             sh './mvnw -B verify -Pcoverage -DskipAssembly --no-transfer-progress'
           }
@@ -86,7 +86,7 @@ pipeline {
           }
           steps {
             withCredentials([string(credentialsId: 'asf-struts-sonarcloud', variable: 'SONARCLOUD_TOKEN')]) {
-              sh './mvnw -B -Pcoverage -DskipAssembly -Dsonar.login=${SONARCLOUD_TOKEN} verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar'
+              sh './mvnw -B -Pcoverage -DskipAssembly -Dsonar.login=${SONARCLOUD_TOKEN} verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar --no-transfer-progress'
             }
           }
         }
@@ -100,7 +100,7 @@ pipeline {
             dir("local-snapshots-dir/") {
               deleteDir()
             }
-            sh './mvnw -B source:jar javadoc:jar -DskipTests -DskipAssembly'
+            sh './mvnw -B source:jar javadoc:jar -DskipTests -DskipAssembly --no-transfer-progress'
           }
         }
         stage('Deploy Snapshot') {
@@ -111,7 +111,7 @@ pipeline {
           }
           steps {
             withCredentials([file(credentialsId: 'lukaszlenart-repository-access-token', variable: 'CUSTOM_SETTINGS')]) {
-              sh './mvnw -s \${CUSTOM_SETTINGS} deploy -DskipTests -DskipAssembly'
+              sh './mvnw -s \${CUSTOM_SETTINGS} deploy -DskipTests -DskipAssembly --no-transfer-progress'
             }
           }
         }
@@ -123,7 +123,7 @@ pipeline {
             }
           }
           steps {
-            sh './mvnw -B package -DskipTests'
+            sh './mvnw -B package -DskipTests --no-transfer-progress'
             sshPublisher(publishers: [
                 sshPublisherDesc(
                     configName: 'Nightlies',

SECURITY.md

@@ -2,13 +2,13 @@
 
 ## Supported Versions
 
-Please vist the [Releases](https://struts.apache.org/releases.html#prior-releases) page to see full information about each version 
+Please visit the [Releases](https://struts.apache.org/releases.html#prior-releases) page to see full information about each version 
 and what potential vulnerability it can have:
 
 | Version | Supported          |
-| ------- | ------------------ |
-| 6.0.0   | :white_check_mark: |
-| 2.5.30  | :white_check_mark: |
+|---------|--------------------|
+| 6.x     | :white_check_mark: |
+| 2.5.x   | :white_check_mark: |
 
 ## Reporting New Security Issues with thr Apache Struts
 
@@ -28,8 +28,8 @@ All mail sent to this address that does not relate to security problems in the A
 ```
 
 Note that all networked servers are subject to denial of service attacks, and we cannot promise magic
-workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting
-the same URL repeatedly). In general our philosophy is to avoid any attacks which can cause the server
+workarounds to generic problems (such as a client streaming lots of data to your server, or requesting
+the same URL repeatedly). In general, our philosophy is to avoid any attacks that can cause the server
 to consume resources in a non-linear relationship to the size of inputs.
 
 The mailing address is: [[email protected]](mailto:[email protected])

apps/showcase/src/main/java/org/apache/struts2/showcase/UITagExample.java

@@ -24,9 +24,15 @@
 import com.opensymphony.xwork2.Validateable;
 import com.opensymphony.xwork2.util.ValueStack;
 import org.apache.struts2.ServletActionContext;
+import org.apache.struts2.interceptor.parameter.StrutsParameter;
 
 import java.io.File;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 /**
  */
@@ -89,6 +95,7 @@ public List getLeftSideCartoonCharacters() {
 		return leftSideCartoonCharacters;
 	}
 
+	@StrutsParameter
 	public void setLeftSideCartoonCharacters(List leftSideCartoonCharacters) {
 		this.leftSideCartoonCharacters = leftSideCartoonCharacters;
 	}
@@ -98,6 +105,7 @@ public List getRightSideCartoonCharacters() {
 		return rightSideCartoonCharacters;
 	}
 
+	@StrutsParameter
 	public void setRightSideCartoonCharacters(List rightSideCartoonCharacters) {
 		this.rightSideCartoonCharacters = rightSideCartoonCharacters;
 	}
@@ -107,6 +115,7 @@ public String getFavouriteVehicalType() {
 		return favouriteVehicalType;
 	}
 
+	@StrutsParameter
 	public void setFavouriteVehicalType(String favouriteVehicalType) {
 		this.favouriteVehicalType = favouriteVehicalType;
 	}
@@ -115,6 +124,7 @@ public String getFavouriteVehicalSpecific() {
 		return favouriteVehicalSpecific;
 	}
 
+	@StrutsParameter
 	public void setFavouriteVehicalSpecific(String favouriteVehicalSpecific) {
 		this.favouriteVehicalSpecific = favouriteVehicalSpecific;
 	}
@@ -145,6 +155,7 @@ public String getName() {
 		return name;
 	}
 
+	@StrutsParameter
 	public void setName(String name) {
 		this.name = name;
 	}
@@ -153,6 +164,7 @@ public Date getBirthday() {
 		return birthday;
 	}
 
+	@StrutsParameter
 	public void setBirthday(Date birthday) {
 		this.birthday = birthday;
 	}
@@ -161,6 +173,7 @@ public String getBio() {
 		return bio;
 	}
 
+	@StrutsParameter
 	public void setBio(String bio) {
 		this.bio = bio;
 	}
@@ -169,6 +182,7 @@ public String getFavouriteColor() {
 		return favouriteColor;
 	}
 
+	@StrutsParameter
 	public void setFavouriteColor(String favoriteColor) {
 		this.favouriteColor = favoriteColor;
 	}
@@ -177,6 +191,7 @@ public List getFriends() {
 		return friends;
 	}
 
+	@StrutsParameter
 	public void setFriends(List friends) {
 		this.friends = friends;
 	}
@@ -193,6 +208,7 @@ public boolean isLegalAge() {
 		return legalAge;
 	}
 
+	@StrutsParameter
 	public void setLegalAge(boolean legalAge) {
 		this.legalAge = legalAge;
 	}
@@ -201,6 +217,7 @@ public String getState() {
 		return state;
 	}
 
+	@StrutsParameter
 	public void setState(String state) {
 		this.state = state;
 	}
@@ -209,6 +226,7 @@ public String getRegion() {
 		return region;
 	}
 
+	@StrutsParameter
 	public void setRegion(String region) {
 		this.region = region;
 	}
@@ -229,6 +247,7 @@ public void setPictureFileName(String pictureFileName) {
 		this.pictureFileName = pictureFileName;
 	}
 
+	@StrutsParameter
 	public void setFavouriteLanguage(String favouriteLanguage) {
 		this.favouriteLanguage = favouriteLanguage;
 	}
@@ -237,7 +256,7 @@ public String getFavouriteLanguage() {
 		return favouriteLanguage;
 	}
 
-
+	@StrutsParameter
 	public void setThoughts(String thoughts) {
 		this.thoughts = thoughts;
 	}
@@ -250,6 +269,7 @@ public Date getWakeup() {
 		return wakeup;
 	}
 
+	@StrutsParameter
 	public void setWakeup(Date wakeup) {
 		this.wakeup = wakeup;
 	}

apps/showcase/src/main/java/org/apache/struts2/showcase/action/ParamsAnnotationAction.java

@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.showcase.action;
+
+import com.opensymphony.xwork2.ActionSupport;
+import org.apache.struts2.interceptor.parameter.StrutsParameter;
+import org.apache.struts2.showcase.model.MyDto;
+
+import java.lang.reflect.Field;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static java.util.Collections.singletonList;
+import static java.util.Collections.singletonMap;
+
+/**
+ * This class supports {@link com.atlassian.confluence.stateless.webdriver.selenium3.security.StrutsParametersTest}
+ * which prevents critical security regressions. Do NOT modify without understanding the motivation behind the tests and
+ * the implications of any changes.
+ */
+public class ParamsAnnotationAction extends ActionSupport {
+
+    @StrutsParameter
+    public String varToPrint;
+
+    public String publicField = "no";
+
+    @StrutsParameter
+    public String publicFieldAnnotated = "no";
+
+    private String privateField = "no";
+
+    public int[] publicArray = new int[]{0};
+
+    @StrutsParameter(depth = 1)
+    public int[] publicArrayAnnotated = new int[]{0};
+
+    public List<String> publicList = new ArrayList<>(singletonList("no"));
+
+    @StrutsParameter(depth = 1)
+    public List<String> publicListAnnotated = new ArrayList<>(singletonList("no"));
+
+    private List<String> privateList = new ArrayList<>(singletonList("no"));
+
+    public Map<String, String> publicMap = new HashMap<>(singletonMap("key", "no"));
+
+    @StrutsParameter(depth = 1)
+    public Map<String, String> publicMapAnnotated = new HashMap<>(singletonMap("key", "no"));
+
+    public MyDto publicMyDto = new MyDto();
+
+    @StrutsParameter(depth = 2)
+    public MyDto publicMyDtoAnnotated = new MyDto();
+
+    @StrutsParameter(depth = 1)
+    public MyDto publicMyDtoAnnotatedDepthOne = new MyDto();
+
+    private MyDto privateMyDto = new MyDto();
+
+    public void setPrivateFieldMethod(String privateField) {
+        this.privateField = privateField;
+    }
+
+    @StrutsParameter
+    public void setPrivateFieldMethodAnnotated(String privateField) {
+        this.privateField = privateField;
+    }
+
+    public List<String> getPrivateListMethod() {
+        return privateList;
+    }
+
+    @StrutsParameter(depth = 1)
+    public List<String> getPrivateListMethodAnnotated() {
+        return privateList;
+    }
+
+    public MyDto getUnsafeMethodMyDto() {
+        return privateMyDto;
+    }
+
+    @StrutsParameter(depth = 2)
+    public MyDto getSafeMethodMyDto() {
+        return privateMyDto;
+    }
+
+    @StrutsParameter(depth = 1)
+    public MyDto getSafeMethodMyDtoDepthOne() {
+        return privateMyDto;
+    }
+
+    public String renderVarToPrint() throws ReflectiveOperationException {
+        if (varToPrint == null) {
+            return "null";
+        }
+        Field field = this.getClass().getDeclaredField(varToPrint);
+        field.setAccessible(true);
+        try {
+            return String.format("%s{%s}", varToPrint,
+                    field.getType().isArray() ? stringifyArray(field.get(this)) : field.get(this));
+        } finally {
+            field.setAccessible(false);
+        }
+    }
+
+    private String stringifyArray(Object array) {
+        switch (array.getClass().getComponentType().getName()) {
+            case "int":
+                return Arrays.toString((int[]) array);
+            default:
+                return "TODO";
+        }
+    }
+}

apps/showcase/src/main/java/org/apache/struts2/showcase/action/SkillAction.java

@@ -21,6 +21,7 @@
 import com.opensymphony.xwork2.Preparable;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.struts2.interceptor.parameter.StrutsParameter;
 import org.apache.struts2.showcase.dao.Dao;
 import org.apache.struts2.showcase.dao.SkillDao;
 import org.apache.struts2.showcase.model.Skill;
@@ -71,6 +72,7 @@ protected Dao getDao() {
 		return skillDao;
 	}
 
+	@StrutsParameter(depth = 1)
 	public Skill getCurrentSkill() {
 		return currentSkill;
 	}

apps/showcase/src/main/java/org/apache/struts2/showcase/async/ChatRoomAction.java

@@ -19,6 +19,7 @@
 package org.apache.struts2.showcase.async;
 
 import com.opensymphony.xwork2.ActionSupport;
+import org.apache.struts2.interceptor.parameter.StrutsParameter;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -34,10 +35,12 @@ public class ChatRoomAction extends ActionSupport {
 
     private static final List<String> messages = new ArrayList<>();
 
+    @StrutsParameter
     public void setMessage(String message) {
         this.message = message;
     }
 
+    @StrutsParameter
     public void setLastIndex(Integer lastIndex) {
         this.lastIndex = lastIndex;
     }