WW-5352 Acceptance test coverage

apps/showcase/src/main/java/org/apache/struts2/showcase/action/ParamsAnnotationAction.java

@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.showcase.action;
+
+import com.opensymphony.xwork2.ActionSupport;
+import org.apache.struts2.interceptor.parameter.StrutsParameter;
+import org.apache.struts2.showcase.model.MyDto;
+
+import java.lang.reflect.Field;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static java.util.Collections.singletonList;
+import static java.util.Collections.singletonMap;
+
+/**
+ * This class supports {@link com.atlassian.confluence.stateless.webdriver.selenium3.security.StrutsParametersTest}
+ * which prevents critical security regressions. Do NOT modify without understanding the motivation behind the tests and
+ * the implications of any changes.
+ */
+public class ParamsAnnotationAction extends ActionSupport {
+
+    @StrutsParameter
+    public String varToPrint;
+
+    public String publicField = "no";
+
+    @StrutsParameter
+    public String publicFieldAnnotated = "no";
+
+    private String privateField = "no";
+
+    public int[] publicArray = new int[]{0};
+
+    @StrutsParameter(depth = 1)
+    public int[] publicArrayAnnotated = new int[]{0};
+
+    public List<String> publicList = new ArrayList<>(singletonList("no"));
+
+    @StrutsParameter(depth = 1)
+    public List<String> publicListAnnotated = new ArrayList<>(singletonList("no"));
+
+    private List<String> privateList = new ArrayList<>(singletonList("no"));
+
+    public Map<String, String> publicMap = new HashMap<>(singletonMap("key", "no"));
+
+    @StrutsParameter(depth = 1)
+    public Map<String, String> publicMapAnnotated = new HashMap<>(singletonMap("key", "no"));
+
+    public MyDto publicMyDto = new MyDto();
+
+    @StrutsParameter(depth = 2)
+    public MyDto publicMyDtoAnnotated = new MyDto();
+
+    @StrutsParameter(depth = 1)
+    public MyDto publicMyDtoAnnotatedDepthOne = new MyDto();
+
+    private MyDto privateMyDto = new MyDto();
+
+    public void setPrivateFieldMethod(String privateField) {
+        this.privateField = privateField;
+    }
+
+    @StrutsParameter
+    public void setPrivateFieldMethodAnnotated(String privateField) {
+        this.privateField = privateField;
+    }
+
+    public List<String> getPrivateListMethod() {
+        return privateList;
+    }
+
+    @StrutsParameter(depth = 1)
+    public List<String> getPrivateListMethodAnnotated() {
+        return privateList;
+    }
+
+    public MyDto getUnsafeMethodMyDto() {
+        return privateMyDto;
+    }
+
+    @StrutsParameter(depth = 2)
+    public MyDto getSafeMethodMyDto() {
+        return privateMyDto;
+    }
+
+    @StrutsParameter(depth = 1)
+    public MyDto getSafeMethodMyDtoDepthOne() {
+        return privateMyDto;
+    }
+
+    public String renderVarToPrint() throws ReflectiveOperationException {
+        if (varToPrint == null) {
+            return "null";
+        }
+        Field field = this.getClass().getDeclaredField(varToPrint);
+        field.setAccessible(true);
+        try {
+            return String.format("%s{%s}", varToPrint,
+                    field.getType().isArray() ? stringifyArray(field.get(this)) : field.get(this));
+        } finally {
+            field.setAccessible(false);
+        }
+    }
+
+    private String stringifyArray(Object array) {
+        switch (array.getClass().getComponentType().getName()) {
+            case "int":
+                return Arrays.toString((int[]) array);
+            default:
+                return "TODO";
+        }
+    }
+}

apps/showcase/src/main/java/org/apache/struts2/showcase/model/MyDto.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.showcase.model;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+
+import static java.util.Collections.singletonMap;
+
+public class MyDto {
+
+    public String str = "no";
+
+    public Map<String, String> map = new HashMap<>(singletonMap("key", "no"));
+    public int[] array = new int[]{0};
+
+    @Override
+    public String toString() {
+        return "str=" + str + ", map=" + map + ", array=" + Arrays.toString(array);
+    }
+}

apps/showcase/src/main/resources/struts-params-annotation.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+-->
+<!DOCTYPE struts PUBLIC
+        "-//Apache Software Foundation//DTD Struts Configuration 6.0//EN"
+        "https://struts.apache.org/dtds/struts-6.0.dtd">
+
+<struts>
+    <package name="params-annotation" extends="velocity-default" namespace="/paramsannotation">
+        <action name="test" class="org.apache.struts2.showcase.action.ParamsAnnotationAction">
+            <result type="velocity">/WEB-INF/paramsannotation.vm</result>
+        </action>
+    </package>
+</struts>

apps/showcase/src/main/resources/struts.xml

@@ -83,6 +83,8 @@
 
     <include file="struts-dispatcher.xml" />
 
+    <include file="struts-params-annotation.xml" />
+
     <package name="default" extends="struts-default">
         <interceptors>
             <interceptor-stack name="crudStack">

apps/showcase/src/main/webapp/WEB-INF/paramsannotation.vm

@@ -0,0 +1,19 @@
+#*
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements.  See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership.  The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License.  You may obtain a copy of the License at
+*
+*  http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing,
+* software distributed under the License is distributed on an
+* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+* KIND, either express or implied.  See the License for the
+* specific language governing permissions and limitations
+* under the License.
+*#
+<div id="output">$action.renderVarToPrint()</div>