From ce4015739a1bc7458048ded66445d44adeb32f7e Mon Sep 17 00:00:00 2001
From: Lukasz Lenart <lukaszlenart@apache.org>
Date: Mon, 31 Jul 2023 10:39:02 +0200
Subject: [PATCH] Extends exclusion list

---
 .../opensymphony/xwork2/ognl/OgnlUtil.java    |  2 +-
 .../resources/struts-excluded-classes.xml     |  4 +-
 .../xwork2/ognl/OgnlUtilTest.java             | 37 ++++++++++++++++---
 3 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index ecd226d394..8c17902290 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -194,7 +194,7 @@ private Set<Class<?>> parseClasses(String commaDelimitedClasses) {
             try {
                 classes.add(Class.forName(className));
             } catch (ClassNotFoundException e) {
-                LOG.warn("Class: {} doesn't exist, ignoring it!", className);
+                throw new ConfigurationException("Cannot load class for exclusion/exemption configuration: " + className, e);
             }
         }
 
diff --git a/core/src/main/resources/struts-excluded-classes.xml b/core/src/main/resources/struts-excluded-classes.xml
index 2c8c6cdb50..294e2399b9 100644
--- a/core/src/main/resources/struts-excluded-classes.xml
+++ b/core/src/main/resources/struts-excluded-classes.xml
@@ -38,8 +38,8 @@
                 java.lang.Thread,
                 sun.misc.Unsafe,
                 com.opensymphony.xwork2.ActionContext,
-                org.apache.commons.collections.BeanMap,
-                org.apache.commons.beanutils.BeanMap"/>
+                com.opensymphony.xwork2.ognl.SecurityMemberAccess,
+                com.opensymphony.xwork2.ognl.OgnlValueStack"/>
 
     <constant name="struts.devMode.excludedClasses"
               value="
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java
index b5795a326d..3017043161 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java
@@ -35,7 +35,6 @@
 import com.opensymphony.xwork2.util.ValueStack;
 import com.opensymphony.xwork2.util.location.LocatableProperties;
 import com.opensymphony.xwork2.util.reflection.ReflectionContextState;
-import java.beans.BeanInfo;
 import ognl.InappropriateExpressionException;
 import ognl.MethodFailedException;
 import ognl.NoSuchPropertyException;
@@ -48,6 +47,7 @@
 import org.apache.struts2.StrutsConstants;
 import org.apache.struts2.StrutsException;
 
+import java.beans.BeanInfo;
 import java.beans.IntrospectionException;
 import java.lang.reflect.Method;
 import java.text.DateFormat;
@@ -877,6 +877,33 @@ public void testStringToLong() {
         assertEquals(123, foo.getALong());
     }
 
+    public void testBeanMapExpressions() throws OgnlException {
+        Foo foo = new Foo();
+        ognlUtil.setExcludedClasses(
+                "com.opensymphony.xwork2.ognl.SecurityMemberAccess"
+        );
+
+        Map<String, Object> context = ognlUtil.createDefaultContext(foo);
+
+        String expression = "%{\n" +
+            "(#request.a=#@org.apache.commons.collections.BeanMap@{}) +\n" +
+            "(#request.a.setBean(#request.get('struts.valueStack')) == true) +\n" +
+            "(#request.b=#@org.apache.commons.collections.BeanMap@{}) +\n" +
+            "(#request.b.setBean(#request.get('a').get('context'))) +\n" +
+            "(#request.c=#@org.apache.commons.collections.BeanMap@{}) +\n" +
+            "(#request.c.setBean(#request.get('b').get('memberAccess'))) +\n" +
+            "(#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())) +\n" +
+            "(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()))\n" +
+            "}";
+
+        ognlUtil.setValue("title", context, foo, expression);
+
+        assertEquals(foo.getTitle(), expression);
+
+        SecurityMemberAccess sma = (SecurityMemberAccess) ((OgnlContext) context).getMemberAccess();
+        assertTrue(sma.isClassExcluded(SecurityMemberAccess.class));
+    }
+
     public void testNullProperties() {
         Foo foo = new Foo();
         foo.setALong(88);
@@ -1834,19 +1861,19 @@ public void testOgnlDefaultCacheFactoryCoverage() {
         defaultOgnlCacheFactory.setUseLRUCache("false");
         ognlCache = defaultOgnlCacheFactory.buildOgnlCache();
         assertNotNull("No param build method result null ?", ognlCache);
-        assertEquals("Eviction limit for cache mismatches limit for factory ?", 12, ognlCache.getEvictionLimit() );
+        assertEquals("Eviction limit for cache mismatches limit for factory ?", 12, ognlCache.getEvictionLimit());
         ognlCache = defaultOgnlCacheFactory.buildOgnlCache(6, 6, 0.75f, false);
         assertNotNull("No param build method result null ?", ognlCache);
-        assertEquals("Eviction limit for cache mismatches limit for factory ?", 6, ognlCache.getEvictionLimit() );
+        assertEquals("Eviction limit for cache mismatches limit for factory ?", 6, ognlCache.getEvictionLimit());
         // LRU cache
         defaultOgnlCacheFactory.setCacheMaxSize("30");
         defaultOgnlCacheFactory.setUseLRUCache("true");
         ognlCache = defaultOgnlCacheFactory.buildOgnlCache();
         assertNotNull("No param build method result null ?", ognlCache);
-        assertEquals("Eviction limit for cache mismatches limit for factory ?", 30, ognlCache.getEvictionLimit() );
+        assertEquals("Eviction limit for cache mismatches limit for factory ?", 30, ognlCache.getEvictionLimit());
         ognlCache = defaultOgnlCacheFactory.buildOgnlCache(15, 15, 0.75f, false);
         assertNotNull("No param build method result null ?", ognlCache);
-        assertEquals("Eviction limit for cache mismatches limit for factory ?", 15, ognlCache.getEvictionLimit() );
+        assertEquals("Eviction limit for cache mismatches limit for factory ?", 15, ognlCache.getEvictionLimit());
     }
 
     /**