Merge master 2024-06-10

.asf.yaml

@@ -18,8 +18,9 @@ github:
       contexts:
         - build
       required_pull_request_reviews:
-        require_code_owner_reviews: true
-        required_approving_review_count: 1
+        # it does not work because our github teams are private/secret, see INFRA-25666
+        require_code_owner_reviews: false
+        required_approving_review_count: 0
   autolink_jira:
     - WW
   dependabot_alerts:  true

.github/workflows/scorecards-analysis.yaml

@@ -46,7 +46,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736    # 2.3.1
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534    # 2.3.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -58,7 +58,7 @@ jobs:
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3    # 4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808    # 4.3.3
         with:
           name: SARIF file
           path: results.sarif

apps/showcase/pom.xml

@@ -197,7 +197,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-failsafe-plugin</artifactId>
-                <version>3.0.0-M6</version>
+                <version>3.2.5</version>
                 <configuration>
                     <includes>
                         <include>it.org.apache.struts2.showcase.*Test</include>

assembly/pom.xml

@@ -106,7 +106,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-assembly-plugin</artifactId>
-                <version>3.6.0</version>
+                <version>3.7.1</version>
                 <executions>
                     <execution>
                         <id>make-assembly</id>

core/pom.xml

@@ -220,6 +220,12 @@
             <scope>test</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.awaitility</groupId>
+            <artifactId>awaitility</artifactId>
+            <scope>test</scope>
+        </dependency>
+
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>

core/src/main/java/com/opensymphony/xwork2/ActionSupport.java

@@ -90,6 +90,11 @@ public boolean isValidLocale(Locale locale) {
         return getLocaleProvider().isValidLocale(locale);
     }
 
+    @Override
+    public Locale toLocale(String localeStr) {
+        return getLocaleProvider().toLocale(localeStr);
+    }
+
     @Override
     public boolean hasKey(String key) {
         return getTextProvider().hasKey(key);

core/src/main/java/com/opensymphony/xwork2/DefaultLocaleProvider.java

@@ -46,17 +46,23 @@ public Locale getLocale() {
 
     @Override
     public boolean isValidLocaleString(String localeStr) {
+        Locale locale = this.toLocale(localeStr);
+        return isValidLocale(locale);
+    }
+
+    @Override
+    public boolean isValidLocale(Locale locale) {
+        return locale != null && LocaleUtils.isAvailableLocale(locale);
+    }
+
+    @Override
+    public Locale toLocale(String localeStr) {
         Locale locale = null;
         try {
             locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr));
         } catch (IllegalArgumentException e) {
             LOG.warn(new ParameterizedMessage("Cannot convert [{}] to proper locale", localeStr), e);
         }
-        return isValidLocale(locale);
-    }
-
-    @Override
-    public boolean isValidLocale(Locale locale) {
-        return LocaleUtils.isAvailableLocale(locale);
+        return locale;
     }
 }

core/src/main/java/com/opensymphony/xwork2/LocaleProvider.java

@@ -18,6 +18,9 @@
  */
 package com.opensymphony.xwork2;
 
+import org.apache.commons.lang3.LocaleUtils;
+import org.apache.commons.lang3.StringUtils;
+
 import java.util.Locale;
 
 
@@ -58,4 +61,17 @@ public interface LocaleProvider {
      */
     boolean isValidLocale(Locale locale);
 
+    /**
+     * Tries to convert provided locale string into {@link Locale} or returns null
+     * @param localeStr a String representing locale, e.g.: en_EN
+     * @return instance of {@link Locale} or null
+     * @since Struts 6.5.0
+     */
+    default Locale toLocale(String localeStr) {
+        try {
+            return LocaleUtils.toLocale(StringUtils.trimToNull(localeStr));
+        } catch (IllegalArgumentException e) {
+            return null;
+        }
+    }
 }

core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java

@@ -29,6 +29,7 @@
 import org.apache.struts2.ognl.ThreadAllowlist;
 
 import java.lang.reflect.AccessibleObject;
+import java.lang.reflect.Constructor;
 import java.lang.reflect.Field;
 import java.lang.reflect.Member;
 import java.lang.reflect.Modifier;
@@ -147,11 +148,11 @@ public boolean isAccessible(Map context, Object target, Member member, String pr
         if (target != null) {
             // Special case: Target is a Class object but not Class.class
             if (Class.class.equals(target.getClass()) && !Class.class.equals(target)) {
-                if (!isStatic(member)) {
-                    throw new IllegalArgumentException("Member expected to be static!");
+                if (!isStatic(member) && !Constructor.class.equals(member.getClass())) {
+                    throw new IllegalArgumentException("Member expected to be static or constructor!");
                 }
                 if (!member.getDeclaringClass().equals(target)) {
-                    throw new IllegalArgumentException("Target class does not match static member!");
+                    throw new IllegalArgumentException("Target class does not match member!");
                 }
                 target = null; // This information is not useful to us and conflicts with following logic which expects target to be null or an instance containing the member
             // Standard case: Member should exist on target

core/src/main/java/com/opensymphony/xwork2/validator/ActionValidatorManager.java

@@ -36,7 +36,7 @@ public interface ActionValidatorManager {
      * @param method the name of the method being invoked on the action - can be <tt>null</tt>.
      * @return a list of all validators for the given class and context.
      */
-    List<Validator> getValidators(Class clazz, String context, String method);
+    List<Validator> getValidators(Class<?> clazz, String context, String method);
 
     /**
      * Returns a list of validators for the given class and context. This is the primary
@@ -46,7 +46,7 @@ public interface ActionValidatorManager {
      * @param context the context of the action class - can be <tt>null</tt>.
      * @return a list of all validators for the given class and context.
      */
-    List<Validator> getValidators(Class clazz, String context);
+    List<Validator> getValidators(Class<?> clazz, String context);
 
     /**
      * Validates the given object using action and its context.

core/src/main/java/com/opensymphony/xwork2/validator/DefaultActionValidatorManager.java

@@ -125,7 +125,7 @@ public void validate(Object object, String context, ValidatorContext validatorCo
      * @param context context
      * @return a validator key which is the class name plus context.
      */
-    protected String buildValidatorKey(Class clazz, String context) {
+    protected String buildValidatorKey(Class<?> clazz, String context) {
         return clazz.getName() + "/" + context;
     }
 
@@ -137,7 +137,7 @@ protected Validator getValidatorFromValidatorConfig(ValidatorConfig config, Valu
     }
 
     @Override
-    public synchronized List<Validator> getValidators(Class clazz, String context, String method) {
+    public synchronized List<Validator> getValidators(Class<?> clazz, String context, String method) {
         String validatorKey = buildValidatorKey(clazz, context);
 
         if (!validatorCache.containsKey(validatorKey)) {
@@ -158,7 +158,7 @@ public synchronized List<Validator> getValidators(Class clazz, String context, S
     }
 
     @Override
-    public synchronized List<Validator> getValidators(Class clazz, String context) {
+    public synchronized List<Validator> getValidators(Class<?> clazz, String context) {
         return getValidators(clazz, context, null);
     }
 
@@ -277,7 +277,7 @@ public void validate(Object object, String context, ValidatorContext validatorCo
      * @param checked   the set of previously checked class-contexts, null if none have been checked
      * @return a list of validator configs for the given class and context.
      */
-    protected List<ValidatorConfig> buildValidatorConfigs(Class clazz, String context, boolean checkFile, Set<String> checked) {
+    protected List<ValidatorConfig> buildValidatorConfigs(Class<?> clazz, String context, boolean checkFile, Set<String> checked) {
         List<ValidatorConfig> validatorConfigs = new ArrayList<>();
 
         if (checked == null) {
@@ -287,7 +287,7 @@ protected List<ValidatorConfig> buildValidatorConfigs(Class clazz, String contex
         }
 
         if (clazz.isInterface()) {
-            for (Class anInterface : clazz.getInterfaces()) {
+            for (Class<?> anInterface : clazz.getInterfaces()) {
                 validatorConfigs.addAll(buildValidatorConfigs(anInterface, context, checkFile, checked));
             }
         } else {
@@ -297,7 +297,7 @@ protected List<ValidatorConfig> buildValidatorConfigs(Class clazz, String contex
         }
 
         // look for validators for implemented interfaces
-        for (Class anInterface1 : clazz.getInterfaces()) {
+        for (Class<?> anInterface1 : clazz.getInterfaces()) {
             if (checked.contains(anInterface1.getName())) {
                 continue;
             }
@@ -317,17 +317,17 @@ protected List<ValidatorConfig> buildValidatorConfigs(Class clazz, String contex
         return validatorConfigs;
     }
 
-    protected List<ValidatorConfig> buildAliasValidatorConfigs(Class aClass, String context, boolean checkFile) {
+    protected List<ValidatorConfig> buildAliasValidatorConfigs(Class<?> aClass, String context, boolean checkFile) {
         String fileName = aClass.getName().replace('.', '/') + "-" + context + VALIDATION_CONFIG_SUFFIX;
         return loadFile(fileName, aClass, checkFile);
     }
 
-    protected List<ValidatorConfig> buildClassValidatorConfigs(Class aClass, boolean checkFile) {
+    protected List<ValidatorConfig> buildClassValidatorConfigs(Class<?> aClass, boolean checkFile) {
         String fileName = aClass.getName().replace('.', '/') + VALIDATION_CONFIG_SUFFIX;
         return loadFile(fileName, aClass, checkFile);
     }
 
-    protected List<ValidatorConfig> loadFile(String fileName, Class clazz, boolean checkFile) {
+    protected List<ValidatorConfig> loadFile(String fileName, Class<?> clazz, boolean checkFile) {
         List<ValidatorConfig> retList = Collections.emptyList();
 
         URL fileUrl = ClassLoaderUtil.getResource(fileName, clazz);

core/src/main/java/com/opensymphony/xwork2/validator/DelegatingValidatorContext.java

@@ -122,10 +122,15 @@ public boolean isValidLocale(Locale locale) {
         return localeProvider.isValidLocale(locale);
     }
 
+    @Override
+    public Locale toLocale(String localeStr) {
+        return localeProvider.toLocale(localeStr);
+    }
+
     public boolean hasKey(String key) {
     	return textProvider.hasKey(key);
     }
-    
+
     public String getText(String aTextName) {
         return textProvider.getText(aTextName);
     }
@@ -280,6 +285,11 @@ public boolean isValidLocaleString(String localeStr) {
         public boolean isValidLocale(Locale locale) {
             return getLocaleProvider().isValidLocale(locale);
         }
+
+        @Override
+        public Locale toLocale(String localeStr) {
+            return getLocaleProvider().toLocale(localeStr);
+        }
     }
 
     /**

core/src/main/java/org/apache/struts2/components/Set.java

@@ -104,17 +104,17 @@ public boolean end(Writer writer, String body) {
         body="";
 
         if (DispatcherConstants.APPLICATION.equalsIgnoreCase(scope)) {
-            stack.setValue("#application['" + getVar() + "']", o);
+            stack.setValue(String.format("#application[\"%s\"]", getVar()), o);
         } else if (DispatcherConstants.SESSION.equalsIgnoreCase(scope)) {
-            stack.setValue("#session['" + getVar() + "']", o);
+            stack.setValue(String.format("#session[\"%s\"]", getVar()), o);
         } else if (DispatcherConstants.REQUEST.equalsIgnoreCase(scope)) {
-            stack.setValue("#request['" + getVar() + "']", o);
+            stack.setValue(String.format("#request[\"%s\"]", getVar()), o);
         } else if (DispatcherConstants.PAGE.equalsIgnoreCase(scope)) {
-            stack.setValue("#attr['" + getVar() + "']", o, false);
+            stack.setValue(String.format("#attr[\"%s\"]", getVar()), o, false);
         } else {
             // Default scope is action. Note: The action scope handling also adds the var to the page scope.
-            stack.getContext().put(getVar(), o);
-            stack.setValue("#attr['" + getVar() + "']", o, false);
+            putInContext(o);
+            stack.setValue(String.format("#attr[\"%s\"]", getVar()), o, false);
         }
 
         return super.end(writer, body);

core/src/main/java/org/apache/struts2/interceptor/I18nInterceptor.java

@@ -24,7 +24,6 @@
 import com.opensymphony.xwork2.inject.Inject;
 import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
 import com.opensymphony.xwork2.util.TextParseUtil;
-import org.apache.commons.lang3.LocaleUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.message.ParameterizedMessage;
@@ -85,7 +84,7 @@ public void setRequestCookieParameterName(String requestCookieParameterName) {
     }
 
     public void setLocaleStorage(String storageName) {
-        if (storageName == null || "".equals(storageName)) {
+        if (storageName == null || storageName.isEmpty()) {
             this.storage = Storage.ACCEPT_LANGUAGE;
         } else {
             try {
@@ -169,27 +168,21 @@ protected LocaleHandler getLocaleHandler(ActionInvocation invocation) {
     }
 
     /**
-     * Creates a Locale object from the request param, which might
-     * be already a Local or a String
+     * Creates a Locale object from the request param
      *
      * @param requestedLocale the parameter from the request
-     * @return the Locale
+     * @return instance of {@link Locale} or null
      */
-    protected Locale getLocaleFromParam(Object requestedLocale) {
+    protected Locale getLocaleFromParam(String requestedLocale) {
         LocaleProvider localeProvider = localeProviderFactory.createLocaleProvider();
 
         Locale locale = null;
         if (requestedLocale != null) {
-            if (requestedLocale instanceof Locale) {
-                locale = (Locale) requestedLocale;
-            } else {
-                String localeStr = requestedLocale.toString();
-                if (localeProvider.isValidLocaleString(localeStr)) {
-                    locale = LocaleUtils.toLocale(localeStr);
-                } else {
-                    locale = localeProvider.getLocale();
-                }
+            locale = localeProvider.toLocale(requestedLocale);
+            if (locale == null) {
+                locale = localeProvider.getLocale();
             }
+
             if (locale != null) {
                 LOG.debug("Found locale: {}", locale);
             }
@@ -285,7 +278,7 @@ protected AcceptLanguageLocaleHandler(ActionInvocation invocation) {
         @Override
         @SuppressWarnings("rawtypes")
         public Locale find() {
-            if (supportedLocale.size() > 0) {
+            if (!supportedLocale.isEmpty()) {
                 Enumeration locales = actionInvocation.getInvocationContext().getServletRequest().getLocales();
                 while (locales.hasMoreElements()) {
                     Locale locale = (Locale) locales.nextElement();