Adds a constant to control when proxy can be accessed

Author: lukaszlenart

core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java

@@ -28,6 +28,7 @@
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.struts2.StrutsConstants;
 
 import java.beans.BeanInfo;
 import java.beans.IntrospectionException;
@@ -64,6 +65,7 @@ public class OgnlUtil {
 
     private Container container;
     private boolean allowStaticMethodAccess;
+    private boolean disallowProxyMemberAccess;
 
     @Inject
     public void setXWorkConverter(XWorkConverter conv) {
@@ -144,6 +146,15 @@ public void setAllowStaticMethodAccess(String allowStaticMethodAccess) {
         this.allowStaticMethodAccess = Boolean.parseBoolean(allowStaticMethodAccess);
     }
 
+    @Inject(value = StrutsConstants.STRUTS_DISALLOW_PROXY_MEMBER_ACCESS, required = false)
+    public void setDisallowProxyMemberAccess(String disallowProxyMemberAccess) {
+        this.disallowProxyMemberAccess = Boolean.parseBoolean(disallowProxyMemberAccess);
+    }
+
+    public boolean isDisallowProxyMemberAccess() {
+        return disallowProxyMemberAccess;
+    }
+
     /**
      * Sets the object's properties using the default type converter, defaulting to not throw
      * exceptions for problems setting the properties.
@@ -679,6 +690,7 @@ protected Map createDefaultContext(Object root, ClassResolver classResolver) {
         memberAccess.setExcludedClasses(excludedClasses);
         memberAccess.setExcludedPackageNamePatterns(excludedPackageNamePatterns);
         memberAccess.setExcludedPackageNames(excludedPackageNames);
+        memberAccess.setDisallowProxyMemberAccess(disallowProxyMemberAccess);
 
         return Ognl.createDefaultContext(root, resolver, defaultConverter, memberAccess);
     }

core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java

@@ -84,6 +84,7 @@ public void setOgnlUtil(OgnlUtil ognlUtil) {
         securityMemberAccess.setExcludedClasses(ognlUtil.getExcludedClasses());
         securityMemberAccess.setExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns());
         securityMemberAccess.setExcludedPackageNames(ognlUtil.getExcludedPackageNames());
+        securityMemberAccess.setDisallowProxyMemberAccess(ognlUtil.isDisallowProxyMemberAccess());
     }
 
     protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot,

core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java

@@ -41,6 +41,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
     private Set<Class<?>> excludedClasses = Collections.emptySet();
     private Set<Pattern> excludedPackageNamePatterns = Collections.emptySet();
     private Set<String> excludedPackageNames = Collections.emptySet();
+    private boolean disallowProxyMemberAccess;
 
     public SecurityMemberAccess(boolean method) {
         super(false);
@@ -85,7 +86,7 @@ public boolean isAccessible(Map context, Object target, Member member, String pr
             return false;
         }
 
-        if (ProxyUtil.isProxyMember(member, target)) {
+        if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)) {
             LOG.warn("Access to proxy [{}] is blocked!", member);
             return false;
         }
@@ -212,4 +213,8 @@ public void setExcludedPackageNamePatterns(Set<Pattern> excludedPackageNamePatte
     public void setExcludedPackageNames(Set<String> excludedPackageNames) {
         this.excludedPackageNames = excludedPackageNames;
     }
+
+    public void setDisallowProxyMemberAccess(boolean disallowProxyMemberAccess) {
+        this.disallowProxyMemberAccess = disallowProxyMemberAccess;
+    }
 }

core/src/main/java/org/apache/struts2/StrutsConstants.java

@@ -325,4 +325,6 @@ public final class StrutsConstants {
     public static final String STRUTS_TEXT_PROVIDER_FACTORY = "struts.textProviderFactory";
 
     public static final String STRUTS_LOCALIZED_TEXT_PROVIDER = "struts.localizedTextProvider";
+
+    public static final String STRUTS_DISALLOW_PROXY_MEMBER_ACCESS = "struts.disallowProxyMemberAccess";
 }

core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java

@@ -0,0 +1,49 @@
+package com.opensymphony.xwork2.ognl;
+
+import java.lang.reflect.Member;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.opensymphony.xwork2.ActionProxy;
+import com.opensymphony.xwork2.XWorkTestCase;
+import com.opensymphony.xwork2.config.providers.XmlConfigurationProvider;
+
+public class SecurityMemberAccessProxyTest extends XWorkTestCase {
+    private Map<String, Object> context;
+
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+
+        context = new HashMap<>();
+        // Set up XWork
+        XmlConfigurationProvider provider = new XmlConfigurationProvider("com/opensymphony/xwork2/spring/actionContext-xwork.xml");
+        container.inject(provider);
+        loadConfigurationProviders(provider);
+    }
+
+    public void testProxyAccessIsBlocked() throws Exception {
+        ActionProxy proxy = actionProxyFactory.createActionProxy(null,
+                "chaintoAOPedTestSubBeanAction", null, context);
+
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        sma.setDisallowProxyMemberAccess(true);
+
+        Member member = proxy.getAction().getClass().getMethod("isExposeProxy");
+
+        boolean accessible = sma.isAccessible(context, proxy.getAction(), member, "");
+        assertFalse(accessible);
+    }
+
+    public void testProxyAccessIsAccessible() throws Exception {
+        ActionProxy proxy = actionProxyFactory.createActionProxy(null,
+                "chaintoAOPedTestSubBeanAction", null, context);
+
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+        Member member = proxy.getAction().getClass().getMethod("isExposeProxy");
+
+        boolean accessible = sma.isAccessible(context, proxy.getAction(), member, "");
+        assertTrue(accessible);
+    }
+}

core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml

@@ -2,6 +2,7 @@
 <xwork>
 	<bean type="com.opensymphony.xwork2.ObjectFactory" class="com.opensymphony.xwork2.spring.SpringObjectFactory" />
 	<constant name="applicationContextPath" value="com/opensymphony/xwork2/spring/actionContext-spring.xml" />
+    <constant name="struts.disallowProxyMemberAccess" value="true" />
     <package name="default">
         <result-types>
             <result-type name="null" class="com.opensymphony.xwork2.mock.MockResult" default="true"/>

plugins/spring/src/main/resources/struts-plugin.xml

@@ -35,6 +35,8 @@
     <constant name="struts.class.reloading.acceptClasses" value="" />
     <constant name="struts.class.reloading.reloadConfig" value="false" />
 
+    <constant name="struts.disallowProxyMemberAccess" value="true" />
+
     <package name="spring-default">
         <interceptors>
             <interceptor name="autowiring" class="com.opensymphony.xwork2.spring.interceptor.ActionAutowiringInterceptor"/>