This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 4_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/4_0_X by this push:
new 1399f84e36 Restricting fields for JEXL expressions (#1370)
1399f84e36 is described below
commit 1399f84e36308463ca7343a1019ac4dff7d560f5
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Mon May 4 09:12:27 2026 +0200
Restricting fields for JEXL expressions (#1370)
---
.../apache/syncope/client/console/panels/DashboardSystemPanel.java | 2 +-
.../syncope/core/provisioning/api/jexl/JexlContextBuilder.java | 7 ++++---
pom.xml | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git
a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/DashboardSystemPanel.java
b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/DashboardSystemPanel.java
index 34eb7ebc8c..02a6f5f494 100644
---
a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/DashboardSystemPanel.java
+++
b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/DashboardSystemPanel.java
@@ -58,7 +58,7 @@ public class DashboardSystemPanel extends Panel {
String versionLink =
StringUtils.isNotBlank(gitAndBuildInfo.getLeft()) &&
gitAndBuildInfo.getRight().endsWith("-SNAPSHOT")
?
"https://gitbox.apache.org/repos/asf?p=syncope.git;a=commit;h="; +
gitAndBuildInfo.getLeft()
- :
"https://cwiki.apache.org/confluence/display/SYNCOPE/Capriccio";;
+ :
"https://cwiki.apache.org/confluence/display/SYNCOPE/Notturno";;
version.add(new AttributeModifier("onclick", "window.open('" +
versionLink + "', '_blank')"));
add(version);
diff --git
a/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/jexl/JexlContextBuilder.java
b/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/jexl/JexlContextBuilder.java
index bed2130497..8329891786 100644
---
a/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/jexl/JexlContextBuilder.java
+++
b/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/jexl/JexlContextBuilder.java
@@ -32,7 +32,6 @@ import java.util.Map;
import java.util.Set;
import org.apache.commons.jexl3.JexlContext;
import org.apache.commons.jexl3.MapContext;
-import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.ClassUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
@@ -53,7 +52,9 @@ public class JexlContextBuilder {
protected static final Logger LOG =
LoggerFactory.getLogger(JexlContextBuilder.class);
- private static final String[] IGNORE_FIELDS = { "password",
"clearPassword", "serialVersionUID", "class" };
+ private static final Set<String> IGNORE_FIELDS = Set.of(
+ "class", "serialVersionUID", "cipherAlgorithm", "password",
"passwordHistory",
+ "securityAnswer", "token", "tokenExpireTime");
private static final Map<Class<?>, Set<Pair<PropertyDescriptor, Field>>>
FIELD_CACHE =
Collections.synchronizedMap(new HashMap<>());
@@ -80,7 +81,7 @@ public class JexlContextBuilder {
try {
for (PropertyDescriptor desc :
Introspector.getBeanInfo(clazz).getPropertyDescriptors()) {
if (!desc.getName().startsWith("pc")
- && !ArrayUtils.contains(IGNORE_FIELDS,
desc.getName())
+ && !IGNORE_FIELDS.contains(desc.getName())
&&
!Collection.class.isAssignableFrom(desc.getPropertyType())
&&
!Map.class.isAssignableFrom(desc.getPropertyType())
&& !desc.getPropertyType().isArray()) {
diff --git a/pom.xml b/pom.xml
index e67aa7371c..c7a655064a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -530,7 +530,7 @@ under the License.
<tomcat.version>10.1.54</tomcat.version>
<wildfly.version>39.0.0.Final</wildfly.version>
<payara.version>6.2025.11</payara.version>
- <jakarta.faces.version>4.1.7</jakarta.faces.version>
+ <jakarta.faces.version>4.1.8</jakarta.faces.version>
<docker.postgresql.version>17-alpine</docker.postgresql.version>
<docker.mysql.version>9.0</docker.mysql.version>
