WW-5525 Fixes NPE when checking if expressions is acceptable

apache · Feb 17, 2025 · ac1fbc1 · ac1fbc1
1 parent 31c3fc5
commit ac1fbc1
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 5 deletions.
diff --git a/core/src/main/java/org/apache/struts2/ognl/SecurityMemberAccess.java b/core/src/main/java/org/apache/struts2/ognl/SecurityMemberAccess.java
@@ -160,12 +160,12 @@ public boolean isAccessible(Map context, Object target, Member member, String pr
             }
         }
 
-        if (!checkProxyObjectAccess(target)) {
+        if (target != null && !checkProxyObjectAccess(target)) {
             LOG.warn("Access to proxy is blocked! Target [{}], proxy class [{}]", target, target.getClass().getName());
             return false;
         }
 
-        if (!checkProxyMemberAccess(target, member)) {
+        if (target != null && !checkProxyMemberAccess(target, member)) {
             LOG.warn("Access to proxy is blocked! Member class [{}] of target [{}], member [{}]", member.getDeclaringClass(), target, member);
             return false;
         }
@@ -185,15 +185,15 @@ public boolean isAccessible(Map context, Object target, Member member, String pr
             return false;
         }
 
-        if (!checkDefaultPackageAccess(target, member)) {
+        if (target != null && !checkDefaultPackageAccess(target, member)) {
             return false;
         }
 
-        if (!checkExclusionList(target, member)) {
+        if (target != null && !checkExclusionList(target, member)) {
             return false;
         }
 
-        if (!checkAllowlist(target, member)) {
+        if (target != null && !checkAllowlist(target, member)) {
             return false;
         }
 

diff --git a/core/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessTest.java b/core/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessTest.java
@@ -649,6 +649,7 @@ public void testBlockedStaticFieldWhenFlagIsFalse() throws Exception {
     @Test
     public void testBlockedStaticFieldWhenClassIsExcluded() throws Exception {
         // given
+        assignNewSma(false);
         sma.useExcludedClasses(String.join(",", Class.class.getName(), StaticTester.class.getName()));
 
         // when

diff --git a/plugins/spring/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessProxyTest.java b/plugins/spring/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessProxyTest.java
@@ -87,4 +87,80 @@ public void allowAllProxyAccess() {
         assertTrue(sma.isAccessible(context, proxy.getAction(), proxyObjectProxyMember, ""));
         assertTrue(sma.isAccessible(context, proxy.getAction(), proxyObjectNonProxyMember, ""));
     }
+
+    @Test
+    public void nullTargetAndTargetAndMemberNotAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+        assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember, ""));
+    }
+
+    @Test
+    public void nullTargetAndTargetAllowedAndMemberNotAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+        assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember, ""));
+    }
+
+    @Test
+    public void nullTargetAndTargetAndMemberAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+        assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember, ""));
+    }
+
+    @Test
+    public void nullMemberAndTargetAndMemberNotAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+        assertFalse(sma.isAccessible(context, proxy.getAction(), null, ""));
+    }
+
+    @Test
+    public void nullMemberAndTargetAllowedAndMemberNotAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+        assertTrue(sma.isAccessible(context, proxy.getAction(), null, ""));
+    }
+
+    @Test
+    public void nullMemberAndTargetNotAllowedAndMemberAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+        assertFalse(sma.isAccessible(context, proxy.getAction(), null, ""));
+    }
+
+    @Test
+    public void nullTargetAndMemberAndTargetAndMemberNotAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+        assertTrue(sma.isAccessible(context, null, null, ""));
+    }
+
+    @Test
+    public void nullTargetAndMemberAndTargetNotAllowedAndMemberAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+        assertTrue(sma.isAccessible(context, null, null, ""));
+    }
+
+    @Test
+    public void nullTargetAndMemberAndTargetAllowedAndMemberNotAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+        assertTrue(sma.isAccessible(context, null, null, ""));
+    }
+
+    @Test
+    public void nullTargetAndMemberAndTargetAndMemberAllowed() {
+        sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+        sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+        assertTrue(sma.isAccessible(context, null, null, ""));
+    }
+
+    @Test
+    public void nullPropertyName() {
+        sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+        assertTrue(sma.isAccessible(context, proxy.getAction(), proxyObjectProxyMember, null));
+    }
 }