From dbd74ae3a3cc65b3b09f31278ec6f17a0ba4366f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 01:29:50 +0000 Subject: [PATCH 01/24] Bump org.apache.maven.plugins:maven-project-info-reports-plugin Bumps [org.apache.maven.plugins:maven-project-info-reports-plugin](https://github.com/apache/maven-project-info-reports-plugin) from 3.5.0 to 3.6.2. - [Commits](https://github.com/apache/maven-project-info-reports-plugin/compare/maven-project-info-reports-plugin-3.5.0...maven-project-info-reports-plugin-3.6.2) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-project-info-reports-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1232100392..a223dc2221 100644 --- a/pom.xml +++ b/pom.xml @@ -249,7 +249,7 @@ org.apache.maven.plugins maven-project-info-reports-plugin - 3.5.0 + 3.6.2 org.apache.maven.plugins From 8c10a303d0af828c9dbed6250077deaa0b27082b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 01:29:54 +0000 Subject: [PATCH 02/24] Bump org.owasp:dependency-check-maven from 9.2.0 to 10.0.3 Bumps [org.owasp:dependency-check-maven](https://github.com/jeremylong/DependencyCheck) from 9.2.0 to 10.0.3. - [Release notes](https://github.com/jeremylong/DependencyCheck/releases) - [Changelog](https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md) - [Commits](https://github.com/jeremylong/DependencyCheck/compare/v9.2.0...v10.0.3) --- updated-dependencies: - dependency-name: org.owasp:dependency-check-maven dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1232100392..f796c9755a 100644 --- a/pom.xml +++ b/pom.xml @@ -341,7 +341,7 @@ org.owasp dependency-check-maven - 9.2.0 + 10.0.3 src/etc/project-suppression.xml From 7e5e49e81194feeaef8540b615c56f7a3b829877 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 01:30:09 +0000 Subject: [PATCH 03/24] Bump org.apache.commons:commons-lang3 from 3.14.0 to 3.15.0 Bumps org.apache.commons:commons-lang3 from 3.14.0 to 3.15.0. --- updated-dependencies: - dependency-name: org.apache.commons:commons-lang3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1232100392..d181a9d216 100644 --- a/pom.xml +++ b/pom.xml @@ -866,7 +866,7 @@ org.apache.commons commons-lang3 - 3.14.0 + 3.15.0 org.apache.commons From eeb1d8e0cae5242df024a1a0178e3a7a41217b63 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 01:44:54 +0000 Subject: [PATCH 04/24] Bump ossf/scorecard-action from 2.3.3 to 2.4.0 Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.3 to 2.4.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/dc50aa9510b46c811795eb24b2f1ba02a914e534...62b2cac7ed8198b15735ed49ab1e5cf35480ba46) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/scorecards-analysis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 7f4e9b5e40..03663dd89d 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -45,7 +45,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # 2.3.3 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # 2.4.0 with: results_file: results.sarif results_format: sarif From 479a9d86ed3b37db10c8322045887be293f14cd6 Mon Sep 17 00:00:00 2001 From: Lukasz Lenart Date: Wed, 31 Jul 2024 16:53:01 +0200 Subject: [PATCH 05/24] WW-5451 Fixes NPE when iterator starts with null --- .../struts2/components/IteratorComponent.java | 5 ++- .../components/IteratorComponentTest.java | 36 +++++++++++++++++++ .../struts2/views/jsp/IteratorTagTest.java | 36 ++++++++++++++++++- 3 files changed, 75 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/org/apache/struts2/components/IteratorComponent.java b/core/src/main/java/org/apache/struts2/components/IteratorComponent.java index 7ff83bd458..1659e6c6e9 100644 --- a/core/src/main/java/org/apache/struts2/components/IteratorComponent.java +++ b/core/src/main/java/org/apache/struts2/components/IteratorComponent.java @@ -306,7 +306,10 @@ public boolean start(Writer writer) { if ((iterator != null) && iterator.hasNext()) { Object currentValue = iterator.next(); stack.push(currentValue); - threadAllowlist.allowClass(currentValue.getClass()); + + if (currentValue != null) { + threadAllowlist.allowClass(currentValue.getClass()); + } String var = getVar(); diff --git a/core/src/test/java/org/apache/struts2/components/IteratorComponentTest.java b/core/src/test/java/org/apache/struts2/components/IteratorComponentTest.java index 7f08ef64ea..077510a71e 100644 --- a/core/src/test/java/org/apache/struts2/components/IteratorComponentTest.java +++ b/core/src/test/java/org/apache/struts2/components/IteratorComponentTest.java @@ -184,6 +184,42 @@ public List getItems() { assertEquals("1, 2, , 4, ", out.getBuffer().toString()); } + public void testIteratorWithNullsOnly() { + // given + stack.push(new FooAction() { + private final List items = Arrays.asList(null, null, null); + + public List getItems() { + return items; + } + }); + + StringWriter out = new StringWriter(); + + ic.setValue("items"); + ic.setVar("val"); + Property prop = new Property(stack); + + ic.getComponentStack().push(prop); + ic.getComponentStack().push(prop); + ic.getComponentStack().push(prop); + ic.getComponentStack().push(prop); + + String body = ", "; + + // when + assertTrue(ic.start(out)); + + for (int i = 0; i < 3; i++) { + prop.start(out); + prop.end(out, body); + ic.end(out, null); + } + + // then + assertEquals(", , , ", out.getBuffer().toString()); + } + public void testIteratorWithDifferentLocale() { // given ActionContext.getContext().withLocale(new Locale("fa_IR")); diff --git a/core/src/test/java/org/apache/struts2/views/jsp/IteratorTagTest.java b/core/src/test/java/org/apache/struts2/views/jsp/IteratorTagTest.java index fd3fc9587e..acb4fa053d 100644 --- a/core/src/test/java/org/apache/struts2/views/jsp/IteratorTagTest.java +++ b/core/src/test/java/org/apache/struts2/views/jsp/IteratorTagTest.java @@ -20,7 +20,6 @@ import com.mockobjects.servlet.MockBodyContent; import com.mockobjects.servlet.MockJspWriter; -import com.opensymphony.xwork2.ActionContext; import org.apache.commons.collections.ListUtils; import javax.servlet.jsp.JspException; @@ -722,6 +721,41 @@ public void testCounterWithList() throws JspException { validateCounter(new String[]{"a", "b", "c"}); } + public void testNullElements() throws JspException { + Foo foo = new Foo(); + foo.setArray(new String[3]); + + stack.push(foo); + tag.setValue("array"); + tag.setVar("anId"); + + // one + int result = tag.doStartTag(); + assertEquals(TagSupport.EVAL_BODY_INCLUDE, result); + assertNull(stack.peek()); + assertNull(stack.getContext().get("anId")); + + tag.doInitBody(); + + // two + result = tag.doAfterBody(); + assertEquals(TagSupport.EVAL_BODY_AGAIN, result); + assertNull(stack.peek()); + assertNull(stack.getContext().get("anId")); + + // three + result = tag.doAfterBody(); + assertEquals(TagSupport.EVAL_BODY_AGAIN, result); + assertNull(stack.peek()); + assertNull(stack.getContext().get("anId")); + + result = tag.doAfterBody(); + assertEquals(TagSupport.SKIP_BODY, result); + + result = tag.doEndTag(); + assertEquals(TagSupport.EVAL_PAGE, result); + } + public void testCounterWithArray() throws JspException { Foo foo = new Foo(); foo.setArray(new String[]{"a", "b", "c", "d"}); From 0d3358b035f50456270230d8ec59511a4f30c9ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 01:55:12 +0000 Subject: [PATCH 06/24] Bump github/codeql-action from 2.22.11 to 3.25.15 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.11 to 3.25.15. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](https://github.com/github/codeql-action/compare/v2.22.11...v3.25.15) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards-analysis.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d195fcd5a8..40f3e82c8e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,12 +44,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v3.25.15 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v3.25.15 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v3.25.15 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 7f4e9b5e40..192cc7bdd4 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -64,6 +64,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@03e7845b7bfcd5e7fb63d1ae8c61b0e791134fab # 2.22.11 + uses: github/codeql-action/upload-sarif@9c646c24a4c8410122b0d6a1311088e9377eea95 # 2.22.11 with: sarif_file: results.sarif From b8da13c235f46270a80eee5b33b865c3415bbd96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 01:55:15 +0000 Subject: [PATCH 07/24] Bump actions/upload-artifact from 4.3.4 to 4.3.5 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.4 to 4.3.5. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/0b2256b8c012f0828dc542b3febcab082c67f72b...89ef406dd8d7e03cfd12d9e0a4a378f454709029) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/scorecards-analysis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 7f4e9b5e40..6bf825a7e3 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -57,7 +57,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # 4.3.4 + uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # 4.3.5 with: name: SARIF file path: results.sarif From 6caa932fff6e8cb573b1b84b0cca2478c00b0750 Mon Sep 17 00:00:00 2001 From: Kusal Kithul-Godage Date: Fri, 9 Aug 2024 19:53:59 +1000 Subject: [PATCH 08/24] WW-4062 Cache OgnlException thrown on compilation --- .../com/opensymphony/xwork2/ognl/OgnlUtil.java | 17 ++++++++++++++++- .../opensymphony/xwork2/ognl/OgnlUtilTest.java | 15 +++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java index 52475b8d59..05d0be6c5f 100644 --- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java +++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java @@ -601,12 +601,27 @@ private Object toTree(String expr) throws OgnlException { if (enableExpressionCache) { tree = expressionCache.get(expr); } + if (tree instanceof OgnlException) { + // OgnlException was cached, rethrow it with updated stack trace + OgnlException e = (OgnlException) tree; + e.getCause().fillInStackTrace(); + throw e; + } if (tree == null) { - tree = ognlGuard.parseExpression(expr); + try { + tree = ognlGuard.parseExpression(expr); + } catch (OgnlException e) { + tree = e; + } if (enableExpressionCache) { expressionCache.put(expr, tree); } + if (tree instanceof OgnlException) { + // Rethrow OgnlException after caching + throw (OgnlException) tree; + } } + if (EXPR_BLOCKED.equals(tree)) { throw new OgnlException("Expression blocked by OgnlGuard: " + expr); } diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java index 27a0d0f330..b7ba175f7c 100644 --- a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java +++ b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java @@ -1645,6 +1645,21 @@ public void testCustomOgnlMapBlocked() throws Exception { assertThrows(OgnlException.class, () -> ognlUtil.getValue(vulnerableExpr, ognlUtil.createDefaultContext(null), null)); } + public void testCompilationErrorsCached() throws Exception { + OgnlException e = assertThrows(OgnlException.class, () -> ognlUtil.compile(".literal.$something")); + StackTraceElement[] stackTrace = e.getStackTrace(); + assertThat(stackTrace).isEmpty(); + StackTraceElement[] causeStackTrace = e.getCause().getStackTrace(); + + OgnlException e2 = assertThrows(OgnlException.class, () -> ognlUtil.compile(".literal.$something")); + StackTraceElement[] stackTrace2 = e.getStackTrace(); + assertThat(stackTrace2).isEmpty(); + StackTraceElement[] causeStackTrace2 = e.getCause().getStackTrace(); + + assertSame(e, e2); // Exception is cached + assertThat(causeStackTrace).isNotEqualTo(causeStackTrace2); // Stack trace refreshed + } + /** * Generate a new OgnlUtil instance (not configured by the {@link ContainerBuilder}) that can be used for * basic tests, with its Expression and BeanInfo factories set to LRU mode. From 1536a7e04b20e4b6c194d3e6ed49728d009eaab7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 01:14:58 +0000 Subject: [PATCH 09/24] Bump actions/upload-artifact from 4.3.5 to 4.3.6 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.5 to 4.3.6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/89ef406dd8d7e03cfd12d9e0a4a378f454709029...834a144ee995460fba8ed112a2fc961b36a5ec5a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/scorecards-analysis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index dbe568733f..8b4b589d42 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -57,7 +57,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # 4.3.5 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # 4.3.6 with: name: SARIF file path: results.sarif From 107810dce215fb3be999e33a59a9f9a44b0b89b7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 01:15:10 +0000 Subject: [PATCH 10/24] Bump github/codeql-action from 3.25.15 to 3.26.0 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.15 to 3.26.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](https://github.com/github/codeql-action/compare/v3.25.15...v3.26.0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards-analysis.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 40f3e82c8e..93e70d67e9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,12 +44,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v3.25.15 + uses: github/codeql-action/init@v3.26.0 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3.25.15 + uses: github/codeql-action/autobuild@v3.26.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3.25.15 + uses: github/codeql-action/analyze@v3.26.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index dbe568733f..c90da7be6b 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -64,6 +64,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@9c646c24a4c8410122b0d6a1311088e9377eea95 # 2.22.11 + uses: github/codeql-action/upload-sarif@25ad3c8e4067d58361177f34122cf9ae8abb4bd0 # 2.22.11 with: sarif_file: results.sarif From 89154e0479ece7a42e20e79cec222ccaf0f4fa3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 01:45:42 +0000 Subject: [PATCH 11/24] Bump commons-logging:commons-logging from 1.3.0 to 1.3.3 Bumps commons-logging:commons-logging from 1.3.0 to 1.3.3. --- updated-dependencies: - dependency-name: commons-logging:commons-logging dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1877d0e658..771976e229 100644 --- a/pom.xml +++ b/pom.xml @@ -846,7 +846,7 @@ commons-logging commons-logging - 1.3.0 + 1.3.3 org.apache.commons From acd6ebeb6b33f244271527846eebe993ac5d9831 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 01:45:48 +0000 Subject: [PATCH 12/24] Bump org.apache.maven.plugins:maven-wrapper-plugin from 3.2.0 to 3.3.2 Bumps [org.apache.maven.plugins:maven-wrapper-plugin](https://github.com/apache/maven-wrapper) from 3.2.0 to 3.3.2. - [Release notes](https://github.com/apache/maven-wrapper/releases) - [Commits](https://github.com/apache/maven-wrapper/compare/maven-wrapper-3.2.0...maven-wrapper-3.3.2) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-wrapper-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1877d0e658..18850ffed3 100644 --- a/pom.xml +++ b/pom.xml @@ -372,7 +372,7 @@ org.apache.maven.plugins maven-wrapper-plugin - 3.2.0 + 3.3.2 From c067e25b2cb1c7a6a07d53e3a9a9352679506a53 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 01:45:53 +0000 Subject: [PATCH 13/24] Bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.1 Bumps [org.codehaus.mojo:versions-maven-plugin](https://github.com/mojohaus/versions) from 2.16.2 to 2.17.1. - [Release notes](https://github.com/mojohaus/versions/releases) - [Changelog](https://github.com/mojohaus/versions/blob/master/ReleaseNotes.md) - [Commits](https://github.com/mojohaus/versions/compare/2.16.2...2.17.1) --- updated-dependencies: - dependency-name: org.codehaus.mojo:versions-maven-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1877d0e658..f3769585d2 100644 --- a/pom.xml +++ b/pom.xml @@ -487,7 +487,7 @@ org.codehaus.mojo versions-maven-plugin - 2.16.2 + 2.17.1 From dc03a83f615e3ed26567630a9dc03af624b4aa2f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 01:45:57 +0000 Subject: [PATCH 14/24] Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.3.0 to 3.3.1 Bumps [org.apache.maven.plugins:maven-failsafe-plugin](https://github.com/apache/maven-surefire) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.3.0...surefire-3.3.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-failsafe-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- apps/showcase/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/showcase/pom.xml b/apps/showcase/pom.xml index 3cdede5e3d..21a02f7689 100644 --- a/apps/showcase/pom.xml +++ b/apps/showcase/pom.xml @@ -163,7 +163,7 @@ org.apache.maven.plugins maven-failsafe-plugin - 3.3.0 + 3.3.1 it.org.apache.struts2.showcase.*Test From d2d222e05d82ec434e1f9a9b125546630b7ecf97 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 01:46:09 +0000 Subject: [PATCH 15/24] Bump org.easymock:easymock from 5.2.0 to 5.4.0 Bumps [org.easymock:easymock](https://github.com/easymock/easymock) from 5.2.0 to 5.4.0. - [Release notes](https://github.com/easymock/easymock/releases) - [Changelog](https://github.com/easymock/easymock/blob/master/ReleaseNotes.md) - [Commits](https://github.com/easymock/easymock/compare/easymock-5.2.0...easymock-5.4.0) --- updated-dependencies: - dependency-name: org.easymock:easymock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1877d0e658..827f1fc078 100644 --- a/pom.xml +++ b/pom.xml @@ -770,7 +770,7 @@ org.easymock easymock - 5.2.0 + 5.4.0 test From 0fd85517e9c8ceaa90540e6fbdbe13d2602b64c4 Mon Sep 17 00:00:00 2001 From: Kusal Kithul-Godage Date: Tue, 13 Aug 2024 18:29:04 +1000 Subject: [PATCH 16/24] WW-4062 Further optimisation of OgnlException caching --- .../com/opensymphony/xwork2/ognl/OgnlUtil.java | 16 +++++++++++----- .../opensymphony/xwork2/ognl/OgnlUtilTest.java | 7 ++++--- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java index 05d0be6c5f..e02823ca22 100644 --- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java +++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java @@ -602,10 +602,8 @@ private Object toTree(String expr) throws OgnlException { tree = expressionCache.get(expr); } if (tree instanceof OgnlException) { - // OgnlException was cached, rethrow it with updated stack trace - OgnlException e = (OgnlException) tree; - e.getCause().fillInStackTrace(); - throw e; + // OgnlException was cached, rethrow it with empty stack trace (refilling the stack trace is expensive) + clearStackTraceAndRethrow(tree); } if (tree == null) { try { @@ -621,13 +619,21 @@ private Object toTree(String expr) throws OgnlException { throw (OgnlException) tree; } } - if (EXPR_BLOCKED.equals(tree)) { throw new OgnlException("Expression blocked by OgnlGuard: " + expr); } return tree; } + private void clearStackTraceAndRethrow(Object ognlException) throws OgnlException { + OgnlException e = (OgnlException) ognlException; + e.setStackTrace(new StackTraceElement[0]); + if (e.getCause() != null) { + e.getCause().setStackTrace(new StackTraceElement[0]); + } + throw e; + } + public Object compile(String expression, Map context) throws OgnlException { Object tree = toTree(expression); checkEnableEvalExpression(tree, context); diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java index b7ba175f7c..40c2dbddf7 100644 --- a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java +++ b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java @@ -1650,14 +1650,15 @@ public void testCompilationErrorsCached() throws Exception { StackTraceElement[] stackTrace = e.getStackTrace(); assertThat(stackTrace).isEmpty(); StackTraceElement[] causeStackTrace = e.getCause().getStackTrace(); + assertThat(causeStackTrace).isNotEmpty(); OgnlException e2 = assertThrows(OgnlException.class, () -> ognlUtil.compile(".literal.$something")); - StackTraceElement[] stackTrace2 = e.getStackTrace(); + StackTraceElement[] stackTrace2 = e2.getStackTrace(); assertThat(stackTrace2).isEmpty(); - StackTraceElement[] causeStackTrace2 = e.getCause().getStackTrace(); + StackTraceElement[] causeStackTrace2 = e2.getCause().getStackTrace(); + assertThat(causeStackTrace2).isEmpty(); // Stack trace cleared before rethrow assertSame(e, e2); // Exception is cached - assertThat(causeStackTrace).isNotEqualTo(causeStackTrace2); // Stack trace refreshed } /** From 0d84319dbf0980af95f435d85378a4abf0dae7e3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 01:25:04 +0000 Subject: [PATCH 17/24] Bump maven-surefire-plugin.version from 3.3.1 to 3.4.0 Bumps `maven-surefire-plugin.version` from 3.3.1 to 3.4.0. Updates `org.apache.maven.surefire:surefire-junit47` from 3.3.1 to 3.4.0 Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.3.1 to 3.4.0 - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.3.1...surefire-3.4.0) --- updated-dependencies: - dependency-name: org.apache.maven.surefire:surefire-junit47 dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index dd2c102baf..5f5bfaef3e 100644 --- a/pom.xml +++ b/pom.xml @@ -117,7 +117,7 @@ 5.3.37 3.0.8 1.0.7 - 3.3.1 + 3.4.0 6.2.4.Final 2.3.33 From e81adc11eb84cc5839510bd1ddc60b3b0baaa193 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 01:25:44 +0000 Subject: [PATCH 18/24] Bump org.apache.maven.plugins:maven-release-plugin from 3.0.1 to 3.1.1 Bumps [org.apache.maven.plugins:maven-release-plugin](https://github.com/apache/maven-release) from 3.0.1 to 3.1.1. - [Release notes](https://github.com/apache/maven-release/releases) - [Commits](https://github.com/apache/maven-release/compare/maven-release-3.0.1...maven-release-3.1.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-release-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index dd2c102baf..fecf539f01 100644 --- a/pom.xml +++ b/pom.xml @@ -381,7 +381,7 @@ org.apache.maven.plugins maven-release-plugin - 3.0.1 + 3.1.1 maven-jar-plugin From 9765edf2ea056e0a6315b49b07190f0f5b8e2053 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 01:52:03 +0000 Subject: [PATCH 19/24] Bump github/codeql-action from 3.26.0 to 3.26.2 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.0 to 3.26.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](https://github.com/github/codeql-action/compare/v3.26.0...v3.26.2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards-analysis.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 93e70d67e9..c5aeea01d6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,12 +44,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v3.26.0 + uses: github/codeql-action/init@v3.26.2 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3.26.0 + uses: github/codeql-action/autobuild@v3.26.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3.26.0 + uses: github/codeql-action/analyze@v3.26.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 54cc8703cd..ed9bd3c585 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -64,6 +64,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@25ad3c8e4067d58361177f34122cf9ae8abb4bd0 # 2.22.11 + uses: github/codeql-action/upload-sarif@5c681efc3f71cd6b47b1c14583c9e86913966e9f # 2.22.11 with: sarif_file: results.sarif From 5a50bd312d8569fba5d26e11aeb4e8ca2f17316e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 01:17:36 +0000 Subject: [PATCH 20/24] Bump slf4j.version from 2.0.13 to 2.0.16 Bumps `slf4j.version` from 2.0.13 to 2.0.16. Updates `org.slf4j:slf4j-api` from 2.0.13 to 2.0.16 Updates `org.slf4j:slf4j-simple` from 2.0.13 to 2.0.16 --- updated-dependencies: - dependency-name: org.slf4j:slf4j-api dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.slf4j:slf4j-simple dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f2a1506674..ed878b278c 100644 --- a/pom.xml +++ b/pom.xml @@ -113,7 +113,7 @@ 2.17.2 2.23.1 3.3.5 - 2.0.13 + 2.0.16 5.3.37 3.0.8 1.0.7 From ad7f3e352392204ecca2a43fc1d86da640ca0c58 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 01:18:06 +0000 Subject: [PATCH 21/24] Bump org.apache.commons:commons-compress from 1.26.2 to 1.27.1 Bumps org.apache.commons:commons-compress from 1.26.2 to 1.27.1. --- updated-dependencies: - dependency-name: org.apache.commons:commons-compress dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f2a1506674..2c943bb9bb 100644 --- a/pom.xml +++ b/pom.xml @@ -1037,7 +1037,7 @@ org.apache.commons commons-compress - 1.26.2 + 1.27.1 From 8c7c39424ffd340539ebd11e9fd4ad5d9ffc01b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 01:21:24 +0000 Subject: [PATCH 22/24] Bump actions/upload-artifact from 4.3.6 to 4.4.0 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.6 to 4.4.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/834a144ee995460fba8ed112a2fc961b36a5ec5a...50769540e7f4bd5e21e526ee35c689e35e0d6874) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/scorecards-analysis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index ed9bd3c585..4d1e385198 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -57,7 +57,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # 4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # 4.4.0 with: name: SARIF file path: results.sarif From 00f09424492d5bb39504e7430650f6695a01aab3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 01:21:36 +0000 Subject: [PATCH 23/24] Bump github/codeql-action from 3.26.2 to 3.26.6 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.2 to 3.26.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](https://github.com/github/codeql-action/compare/v3.26.2...v3.26.6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards-analysis.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c5aeea01d6..6f0b4ece86 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,12 +44,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v3.26.2 + uses: github/codeql-action/init@v3.26.6 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3.26.2 + uses: github/codeql-action/autobuild@v3.26.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3.26.2 + uses: github/codeql-action/analyze@v3.26.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index ed9bd3c585..830c0c0ffe 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -64,6 +64,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5c681efc3f71cd6b47b1c14583c9e86913966e9f # 2.22.11 + uses: github/codeql-action/upload-sarif@821ab42c90a42d1d5cd3241930dff56a7c7dcfb2 # 2.22.11 with: sarif_file: results.sarif From e4872ecf8ec58281c303a64584a43a1ea716aace Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 06:14:58 +0000 Subject: [PATCH 24/24] Bump spring.platformVersion from 5.3.37 to 5.3.39 Bumps `spring.platformVersion` from 5.3.37 to 5.3.39. Updates `org.springframework:spring-core` from 5.3.37 to 5.3.39 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.37...v5.3.39) Updates `org.springframework:spring-context` from 5.3.37 to 5.3.39 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.37...v5.3.39) Updates `org.springframework:spring-aop` from 5.3.37 to 5.3.39 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.37...v5.3.39) Updates `org.springframework:spring-aspects` from 5.3.37 to 5.3.39 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.37...v5.3.39) Updates `org.springframework:spring-beans` from 5.3.37 to 5.3.39 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.37...v5.3.39) Updates `org.springframework:spring-test` from 5.3.37 to 5.3.39 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.37...v5.3.39) Updates `org.springframework:spring-context-support` from 5.3.37 to 5.3.39 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.37...v5.3.39) Updates `org.springframework:spring-web` from 5.3.37 to 5.3.39 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.37...v5.3.39) --- updated-dependencies: - dependency-name: org.springframework:spring-core dependency-type: direct:development update-type: version-update:semver-patch - dependency-name: org.springframework:spring-context dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework:spring-aop dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework:spring-aspects dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework:spring-beans dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework:spring-test dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework:spring-context-support dependency-type: direct:development update-type: version-update:semver-patch - dependency-name: org.springframework:spring-web dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ed878b278c..21530f6ed0 100644 --- a/pom.xml +++ b/pom.xml @@ -114,7 +114,7 @@ 2.23.1 3.3.5 2.0.16 - 5.3.37 + 5.3.39 3.0.8 1.0.7 3.4.0