Merge master

.github/workflows/codeql.yml

@@ -52,12 +52,12 @@ jobs:
         java-version: 17
         cache: 'maven'
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v3.26.6
       with:
         languages: ${{ matrix.language }}
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v3.26.6
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v3.26.6
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/scorecards-analysis.yaml

@@ -46,7 +46,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534    # 2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46    # 2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -58,13 +58,13 @@ jobs:
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b    # 4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874    # 4.4.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@03e7845b7bfcd5e7fb63d1ae8c61b0e791134fab    # 2.22.11
+        uses: github/codeql-action/upload-sarif@821ab42c90a42d1d5cd3241930dff56a7c7dcfb2    # 2.22.11
         with:
           sarif_file: results.sarif

apps/showcase/pom.xml

@@ -200,7 +200,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-failsafe-plugin</artifactId>
-                <version>3.3.0</version>
+                <version>3.3.1</version>
                 <configuration>
                     <includes>
                         <include>it.org.apache.struts2.showcase.*Test</include>

core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java

@@ -430,18 +430,39 @@ private Object toTree(String expr) throws OgnlException {
         if (enableExpressionCache) {
             tree = expressionCache.get(expr);
         }
+        if (tree instanceof OgnlException) {
+            // OgnlException was cached, rethrow it with empty stack trace (refilling the stack trace is expensive)
+            clearStackTraceAndRethrow(tree);
+        }
         if (tree == null) {
-            tree = ognlGuard.parseExpression(expr);
+            try {
+                tree = ognlGuard.parseExpression(expr);
+            } catch (OgnlException e) {
+                tree = e;
+            }
             if (enableExpressionCache) {
                 expressionCache.put(expr, tree);
             }
+            if (tree instanceof OgnlException) {
+                // Rethrow OgnlException after caching
+                throw (OgnlException) tree;
+            }
         }
         if (EXPR_BLOCKED.equals(tree)) {
             throw new OgnlException("Expression blocked by OgnlGuard: " + expr);
         }
         return tree;
     }
 
+    private void clearStackTraceAndRethrow(Object ognlException) throws OgnlException {
+        OgnlException e = (OgnlException) ognlException;
+        e.setStackTrace(new StackTraceElement[0]);
+        if (e.getCause() != null) {
+            e.getCause().setStackTrace(new StackTraceElement[0]);
+        }
+        throw e;
+    }
+
     public Object compile(String expression, Map<String, Object> context) throws OgnlException {
         Object tree = toTree(expression);
         checkEnableEvalExpression(tree, context);

core/src/main/java/org/apache/struts2/components/IteratorComponent.java

@@ -305,7 +305,10 @@ public boolean start(Writer writer) {
         if ((iterator != null) && iterator.hasNext()) {
             Object currentValue = iterator.next();
             stack.push(currentValue);
-            threadAllowlist.allowClass(currentValue.getClass());
+
+            if (currentValue != null) {
+                threadAllowlist.allowClass(currentValue.getClass());
+            }
 
             String var = getVar();
 

core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java

@@ -1648,6 +1648,22 @@ private OgnlUtil generateOgnlUtilInstanceWithDefaultLRUCacheFactories() {
         return generateOgnlUtilInstanceWithDefaultLRUCacheFactories(25, 25);
     }
 
+    public void testCompilationErrorsCached() throws Exception {
+        OgnlException e = assertThrows(OgnlException.class, () -> ognlUtil.compile(".literal.$something"));
+        StackTraceElement[] stackTrace = e.getStackTrace();
+        assertThat(stackTrace).isEmpty();
+        StackTraceElement[] causeStackTrace = e.getCause().getStackTrace();
+        assertThat(causeStackTrace).isNotEmpty();
+
+        OgnlException e2 = assertThrows(OgnlException.class, () -> ognlUtil.compile(".literal.$something"));
+        StackTraceElement[] stackTrace2 = e2.getStackTrace();
+        assertThat(stackTrace2).isEmpty();
+        StackTraceElement[] causeStackTrace2 = e2.getCause().getStackTrace();
+
+        assertThat(causeStackTrace2).isEmpty(); // Stack trace cleared before rethrow
+        assertSame(e, e2); // Exception is cached
+    }
+
     /**
      * Generate a new OgnlUtil instance (not configured by the {@link ContainerBuilder}) that can be used for
      * basic tests, with its Expression and BeanInfo factories set to LRU mode.

core/src/test/java/org/apache/struts2/components/IteratorComponentTest.java

@@ -184,6 +184,42 @@ public List<String> getItems() {
         assertEquals("1, 2, , 4, ", out.getBuffer().toString());
     }
 
+    public void testIteratorWithNullsOnly() {
+        // given
+        stack.push(new FooAction() {
+            private final List<String> items = Arrays.asList(null, null, null);
+
+            public List<String> getItems() {
+                return items;
+            }
+        });
+
+        StringWriter out = new StringWriter();
+
+        ic.setValue("items");
+        ic.setVar("val");
+        Property prop = new Property(stack);
+
+        ic.getComponentStack().push(prop);
+        ic.getComponentStack().push(prop);
+        ic.getComponentStack().push(prop);
+        ic.getComponentStack().push(prop);
+
+        String body = ", ";
+
+        // when
+        assertTrue(ic.start(out));
+
+        for (int i = 0; i < 3; i++) {
+            prop.start(out);
+            prop.end(out, body);
+            ic.end(out, null);
+        }
+
+        // then
+        assertEquals(", , , ", out.getBuffer().toString());
+    }
+
     public void testIteratorWithDifferentLocale() {
         // given
         ActionContext.getContext().withLocale(new Locale("fa_IR"));

core/src/test/java/org/apache/struts2/views/jsp/IteratorTagTest.java

@@ -727,6 +727,41 @@ public void testCounterWithList() throws JspException {
         validateCounter(new String[]{"a", "b", "c"});
     }
 
+    public void testNullElements() throws JspException {
+        Foo foo = new Foo();
+        foo.setArray(new String[3]);
+
+        stack.push(foo);
+        tag.setValue("array");
+        tag.setVar("anId");
+
+        // one
+        int result = tag.doStartTag();
+        assertEquals(TagSupport.EVAL_BODY_INCLUDE, result);
+        assertNull(stack.peek());
+        assertNull(stack.getContext().get("anId"));
+
+        tag.doInitBody();
+
+        // two
+        result = tag.doAfterBody();
+        assertEquals(TagSupport.EVAL_BODY_AGAIN, result);
+        assertNull(stack.peek());
+        assertNull(stack.getContext().get("anId"));
+
+        // three
+        result = tag.doAfterBody();
+        assertEquals(TagSupport.EVAL_BODY_AGAIN, result);
+        assertNull(stack.peek());
+        assertNull(stack.getContext().get("anId"));
+
+        result = tag.doAfterBody();
+        assertEquals(TagSupport.SKIP_BODY, result);
+
+        result = tag.doEndTag();
+        assertEquals(TagSupport.EVAL_PAGE, result);
+    }
+
     public void testCounterWithArray() throws JspException {
         Foo foo = new Foo();
         foo.setArray(new String[]{"a", "b", "c", "d"});

pom.xml

@@ -116,11 +116,11 @@
         <hibernate-validator.version>8.0.1.Final</hibernate-validator.version>
         <jackson.version>2.17.2</jackson.version>
         <log4j2.version>2.23.1</log4j2.version>
-        <maven-surefire-plugin.version>3.3.1</maven-surefire-plugin.version>
+        <maven-surefire-plugin.version>3.4.0</maven-surefire-plugin.version>
         <mockito.version>5.8.0</mockito.version>
         <ognl.version>3.3.5</ognl.version>
         <sitemesh.version>2.5.0</sitemesh.version>
-        <slf4j.version>2.0.13</slf4j.version>
+        <slf4j.version>2.0.16</slf4j.version>
         <spring.platformVersion>6.0.13</spring.platformVersion>
         <tiles.version>3.0.8</tiles.version>
         <tiles-request.version>1.0.7</tiles-request.version>
@@ -240,7 +240,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-project-info-reports-plugin</artifactId>
-                    <version>3.5.0</version>
+                    <version>3.6.2</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -332,7 +332,7 @@
                 <plugin>
                     <groupId>org.owasp</groupId>
                     <artifactId>dependency-check-maven</artifactId>
-                    <version>9.2.0</version>
+                    <version>10.0.3</version>
                     <configuration>
                         <suppressionFiles>
                             <suppressionFile>src/etc/project-suppression.xml</suppressionFile>
@@ -370,7 +370,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-wrapper-plugin</artifactId>
-                    <version>3.2.0</version>
+                    <version>3.3.2</version>
                 </plugin>
             </plugins>
         </pluginManagement>
@@ -379,7 +379,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-release-plugin</artifactId>
-                <version>3.0.1</version>
+                <version>3.1.1</version>
             </plugin>
             <plugin>
                 <artifactId>maven-jar-plugin</artifactId>
@@ -485,7 +485,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.16.2</version>
+                <version>2.17.1</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -715,7 +715,7 @@
             <dependency>
                 <groupId>org.easymock</groupId>
                 <artifactId>easymock</artifactId>
-                <version>5.2.0</version>
+                <version>5.4.0</version>
                 <scope>test</scope>
             </dependency>
 
@@ -797,7 +797,7 @@
             <dependency>
                 <groupId>commons-logging</groupId>
                 <artifactId>commons-logging</artifactId>
-                <version>1.3.0</version>
+                <version>1.3.3</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>
@@ -817,7 +817,7 @@
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
-                <version>3.14.0</version>
+                <version>3.15.0</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>
@@ -974,7 +974,7 @@
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-compress</artifactId>
-                <version>1.26.2</version>
+                <version>1.27.1</version>
             </dependency>
 
             <dependency>