[jira] [Comment Edited] (JEXL-388) v3.3-SNAPSHOT doesn't find public getter as property
[ https://issues.apache.org/jira/browse/JEXL-388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17641437#comment-17641437 ] Garret Wilson edited comment on JEXL-388 at 11/30/22 4:35 PM: -- {quote}… to restrict what JEXL can see using permissions …{quote} On the face of it that sounds reasonable. Where can I find the documentation for this, since this is a breaking change? {quote}Btw, any comment on JEXL-342?{quote} I'm not sure what comment you want. That was a feature request that is still open, even though a third party indicated they had added something to a modified fork of the library. In any case JEXL is pretty much stuck at the same place it was years ago, since v3.2.1 is completely broken because of JEXL-387, v3.3 is not released, and [there will be no v3.2.2 to fix the bug|https://issues.apache.org/jira/browse/JEXL-387?focusedCommentId=17640302&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17640302]. was (Author: garretwilson): {quote}… to restrict what JEXL can see using permissions …{quote} On the face of it that sounds reasonable. Where can I find the documentation for this, since this is a breaking change? {quote}Btw, any comment on JEXL-342?{quote} I'm not sure what comment you want. That was a feature request that is still open, even though a third party indicated they had added something to a modified fork of the library. > v3.3-SNAPSHOT doesn't find public getter as property > > > Key: JEXL-388 > URL: https://issues.apache.org/jira/browse/JEXL-388 > Project: Commons JEXL > Issue Type: Bug >Affects Versions: 3.3 > Environment: Java 17; Windows 10 >Reporter: Garret Wilson >Priority: Major > > In my [Guise Mummy|https://github.com/globalmentor/guise-mummy] static site > generator I'm using JEXL to interpret the built-in [Mesh Expression > Language|https://github.com/globalmentor/guise-mummy/tree/main/mesh] (MEXL). > Everything was working fine with JEXL 3.1. In fact the entire [Guise Mummy > web site|https://guise.io/mummy/] itself was produced using Guise Mummy with > MEXL on top of JEXL. But when I upgrade to JEXL 3.3-SNAPSHOT, a couple of > unit tests break. In particular, the new version doesn't seem to find a > public getter method on a custom public class as a property. > In the Mesh templating, we have an {{mx:each}} attribute (similar to JSP or > Thymeleaf) which loops through and replicates some HTML element (e.g. an > {{}} inside an {{}}) for each value in a list. It assigns each value, > one at a time, to a variable {{it}} in the context. That is working fine. But > on each iteration it also assigns {{iter}} in the context, with the value > being an instance of > [{{MeshIterator}}|https://github.com/globalmentor/guise-mummy/blob/main/mesh/src/main/java/io/guise/mesh/MeshIterator.java]. > That object has, among other things, {{getCurrent()}}: > {code:java} > /** > * Returns the current item. This will be the result of the last successful > call to {@link #next()}. > * @throws NoSuchElementException if iteration has not yet started. > * @return The current item. > */ > public Object getCurrent() { ... } > {code} > To make a long story short, the MEXL expression should be able to use > {{iter.current}} to get the value, but it's not finding it. I traced through > the new code, and it's finding the {{MeshIterator}} instance just fine and > assigning it to {{iter}}. The problem is that JEXL's {{ClassMap}} (probably > inside {{create()}}) is not finding and caching {{getCurrent()}} mapped to > the {{current}} property. > It looks like {{Permissions.allow()}} for method > {{MeshIterator.getCurrent()}}, is falling through to the end and returning > {{explicit[0]}}, which happens to be {{false}}. It looks like this comes from > {{wildcardAllow(Class clazz)}}, which eventually calls > {{wildcardAllow(Set allowed, String name)}}. There's what I presume > to be a set of allowed packages. Is that new? Do we have to explicitly > provide a list of allowed packages for property discovery via reflection now? > To reproduce this: > # Clone [Guise Mummy > 0.5.3|https://github.com/globalmentor/guise-mummy/releases/tag/v0.5.3]. > # In the overall project {{pom.xml}}, change the version of > {{org.apache.commons:commons-jexl3}} from {{3.1}} to > {{3.3-SNAPSHOT}}. (You'll also need to add the > {{https://repository.apache.org/content/repositories/snapshots/}} repository > in the POM.) > # Run {{mvn clean verify}}. > You'll see that {{io.guise.mesh.GuiseMeshTest.testMxEachWithIterVar()}} will > fail because {{iter.current}} can't be found. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (JEXL-388) v3.3-SNAPSHOT doesn't find public getter as property
[ https://issues.apache.org/jira/browse/JEXL-388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640643#comment-17640643 ] Henri Biestro edited comment on JEXL-388 at 11/29/22 12:06 PM: --- Current trunk default is to restrict what JEXL can see using permissions (JexlPermissions). To revert to previous (security oblivious) setting: {code} JexlEngine jexl = new JexlBuilder() ...permissions(JexlPermissions.UNRESTRICTED) .create(); {code} Or more globall, before creating the builder: {code} JexlBuilder.setDefaultPermissions(JexlPermissions.UNRESTRICTED); {code} Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]? was (Author: henrib): Current trunk default is to restrict what JEXL can see using permissions (JexlPermissions). To revert to previous (security oblivious) setting: {code} JexlEngine jexl = new JexlBuilder() ...permissions(JexlPermissions.UNRESTRICTED) .create(); {code} Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]? > v3.3-SNAPSHOT doesn't find public getter as property > > > Key: JEXL-388 > URL: https://issues.apache.org/jira/browse/JEXL-388 > Project: Commons JEXL > Issue Type: Bug >Affects Versions: 3.3 > Environment: Java 17; Windows 10 >Reporter: Garret Wilson >Priority: Major > > In my [Guise Mummy|https://github.com/globalmentor/guise-mummy] static site > generator I'm using JEXL to interpret the built-in [Mesh Expression > Language|https://github.com/globalmentor/guise-mummy/tree/main/mesh] (MEXL). > Everything was working fine with JEXL 3.1. In fact the entire [Guise Mummy > web site|https://guise.io/mummy/] itself was produced using Guise Mummy with > MEXL on top of JEXL. But when I upgrade to JEXL 3.3-SNAPSHOT, a couple of > unit tests break. In particular, the new version doesn't seem to find a > public getter method on a custom public class as a property. > In the Mesh templating, we have an {{mx:each}} attribute (similar to JSP or > Thymeleaf) which loops through and replicates some HTML element (e.g. an > {{}} inside an {{}}) for each value in a list. It assigns each value, > one at a time, to a variable {{it}} in the context. That is working fine. But > on each iteration it also assigns {{iter}} in the context, with the value > being an instance of > [{{MeshIterator}}|https://github.com/globalmentor/guise-mummy/blob/main/mesh/src/main/java/io/guise/mesh/MeshIterator.java]. > That object has, among other things, {{getCurrent()}}: > {code:java} > /** > * Returns the current item. This will be the result of the last successful > call to {@link #next()}. > * @throws NoSuchElementException if iteration has not yet started. > * @return The current item. > */ > public Object getCurrent() { ... } > {code} > To make a long story short, the MEXL expression should be able to use > {{iter.current}} to get the value, but it's not finding it. I traced through > the new code, and it's finding the {{MeshIterator}} instance just fine and > assigning it to {{iter}}. The problem is that JEXL's {{ClassMap}} (probably > inside {{create()}}) is not finding and caching {{getCurrent()}} mapped to > the {{current}} property. > It looks like {{Permissions.allow()}} for method > {{MeshIterator.getCurrent()}}, is falling through to the end and returning > {{explicit[0]}}, which happens to be {{false}}. It looks like this comes from > {{wildcardAllow(Class clazz)}}, which eventually calls > {{wildcardAllow(Set allowed, String name)}}. There's what I presume > to be a set of allowed packages. Is that new? Do we have to explicitly > provide a list of allowed packages for property discovery via reflection now? > To reproduce this: > # Clone [Guise Mummy > 0.5.3|https://github.com/globalmentor/guise-mummy/releases/tag/v0.5.3]. > # In the overall project {{pom.xml}}, change the version of > {{org.apache.commons:commons-jexl3}} from {{3.1}} to > {{3.3-SNAPSHOT}}. (You'll also need to add the > {{https://repository.apache.org/content/repositories/snapshots/}} repository > in the POM.) > # Run {{mvn clean verify}}. > You'll see that {{io.guise.mesh.GuiseMeshTest.testMxEachWithIterVar()}} will > fail because {{iter.current}} can't be found. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (JEXL-388) v3.3-SNAPSHOT doesn't find public getter as property
[ https://issues.apache.org/jira/browse/JEXL-388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640643#comment-17640643 ] Henri Biestro edited comment on JEXL-388 at 11/29/22 12:04 PM: --- Current trunk default is to restrict what JEXL can see using permissions (JexlPermissions). To revert to previous (security oblivious) setting: {code} JexlEngine jexl = new JexlBuilder() ...permissions(JexlPermissions.UNRESTRICTED) .create(); {code} Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]? was (Author: henrib): Current trunk default is to restrict what JEXL can see using permissions (JexlPermissions). To revert to previous (security oblivious) setting: {code} JexlEngine jexl = new JexlBuilder() .permissions(JexlPermissions.UNRESTRICTED) .sandbox(sandbox) .safe(false) .strict(true) .create(); {code} Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]? > v3.3-SNAPSHOT doesn't find public getter as property > > > Key: JEXL-388 > URL: https://issues.apache.org/jira/browse/JEXL-388 > Project: Commons JEXL > Issue Type: Bug >Affects Versions: 3.3 > Environment: Java 17; Windows 10 >Reporter: Garret Wilson >Priority: Major > > In my [Guise Mummy|https://github.com/globalmentor/guise-mummy] static site > generator I'm using JEXL to interpret the built-in [Mesh Expression > Language|https://github.com/globalmentor/guise-mummy/tree/main/mesh] (MEXL). > Everything was working fine with JEXL 3.1. In fact the entire [Guise Mummy > web site|https://guise.io/mummy/] itself was produced using Guise Mummy with > MEXL on top of JEXL. But when I upgrade to JEXL 3.3-SNAPSHOT, a couple of > unit tests break. In particular, the new version doesn't seem to find a > public getter method on a custom public class as a property. > In the Mesh templating, we have an {{mx:each}} attribute (similar to JSP or > Thymeleaf) which loops through and replicates some HTML element (e.g. an > {{}} inside an {{}}) for each value in a list. It assigns each value, > one at a time, to a variable {{it}} in the context. That is working fine. But > on each iteration it also assigns {{iter}} in the context, with the value > being an instance of > [{{MeshIterator}}|https://github.com/globalmentor/guise-mummy/blob/main/mesh/src/main/java/io/guise/mesh/MeshIterator.java]. > That object has, among other things, {{getCurrent()}}: > {code:java} > /** > * Returns the current item. This will be the result of the last successful > call to {@link #next()}. > * @throws NoSuchElementException if iteration has not yet started. > * @return The current item. > */ > public Object getCurrent() { ... } > {code} > To make a long story short, the MEXL expression should be able to use > {{iter.current}} to get the value, but it's not finding it. I traced through > the new code, and it's finding the {{MeshIterator}} instance just fine and > assigning it to {{iter}}. The problem is that JEXL's {{ClassMap}} (probably > inside {{create()}}) is not finding and caching {{getCurrent()}} mapped to > the {{current}} property. > It looks like {{Permissions.allow()}} for method > {{MeshIterator.getCurrent()}}, is falling through to the end and returning > {{explicit[0]}}, which happens to be {{false}}. It looks like this comes from > {{wildcardAllow(Class clazz)}}, which eventually calls > {{wildcardAllow(Set allowed, String name)}}. There's what I presume > to be a set of allowed packages. Is that new? Do we have to explicitly > provide a list of allowed packages for property discovery via reflection now? > To reproduce this: > # Clone [Guise Mummy > 0.5.3|https://github.com/globalmentor/guise-mummy/releases/tag/v0.5.3]. > # In the overall project {{pom.xml}}, change the version of > {{org.apache.commons:commons-jexl3}} from {{3.1}} to > {{3.3-SNAPSHOT}}. (You'll also need to add the > {{https://repository.apache.org/content/repositories/snapshots/}} repository > in the POM.) > # Run {{mvn clean verify}}. > You'll see that {{io.guise.mesh.GuiseMeshTest.testMxEachWithIterVar()}} will > fail because {{iter.current}} can't be found. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (JEXL-388) v3.3-SNAPSHOT doesn't find public getter as property
[ https://issues.apache.org/jira/browse/JEXL-388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640643#comment-17640643 ] Henri Biestro edited comment on JEXL-388 at 11/29/22 12:03 PM: --- Current trunk default is to restrict what JEXL can see using permissions (JexlPermissions). To revert to previous (security oblivious) setting: {code} JexlEngine jexl = new JexlBuilder() .permissions(JexlPermissions.UNRESTRICTED) .sandbox(sandbox) .safe(false) .strict(true) .create(); {code} Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]? was (Author: henrib): Current trunk default is to restrict what JEXL can see using permissions (JexlPermissions). To revert to previous (security oblivious) setting: {code} JexlEngine jexl = new JexlBuilder() .permissions(JexlPermissions.UNRESTRICTED) .sandbox(sandbox) .safe(false) .strict(true) .create(); {code} > v3.3-SNAPSHOT doesn't find public getter as property > > > Key: JEXL-388 > URL: https://issues.apache.org/jira/browse/JEXL-388 > Project: Commons JEXL > Issue Type: Bug >Affects Versions: 3.3 > Environment: Java 17; Windows 10 >Reporter: Garret Wilson >Priority: Major > > In my [Guise Mummy|https://github.com/globalmentor/guise-mummy] static site > generator I'm using JEXL to interpret the built-in [Mesh Expression > Language|https://github.com/globalmentor/guise-mummy/tree/main/mesh] (MEXL). > Everything was working fine with JEXL 3.1. In fact the entire [Guise Mummy > web site|https://guise.io/mummy/] itself was produced using Guise Mummy with > MEXL on top of JEXL. But when I upgrade to JEXL 3.3-SNAPSHOT, a couple of > unit tests break. In particular, the new version doesn't seem to find a > public getter method on a custom public class as a property. > In the Mesh templating, we have an {{mx:each}} attribute (similar to JSP or > Thymeleaf) which loops through and replicates some HTML element (e.g. an > {{}} inside an {{}}) for each value in a list. It assigns each value, > one at a time, to a variable {{it}} in the context. That is working fine. But > on each iteration it also assigns {{iter}} in the context, with the value > being an instance of > [{{MeshIterator}}|https://github.com/globalmentor/guise-mummy/blob/main/mesh/src/main/java/io/guise/mesh/MeshIterator.java]. > That object has, among other things, {{getCurrent()}}: > {code:java} > /** > * Returns the current item. This will be the result of the last successful > call to {@link #next()}. > * @throws NoSuchElementException if iteration has not yet started. > * @return The current item. > */ > public Object getCurrent() { ... } > {code} > To make a long story short, the MEXL expression should be able to use > {{iter.current}} to get the value, but it's not finding it. I traced through > the new code, and it's finding the {{MeshIterator}} instance just fine and > assigning it to {{iter}}. The problem is that JEXL's {{ClassMap}} (probably > inside {{create()}}) is not finding and caching {{getCurrent()}} mapped to > the {{current}} property. > It looks like {{Permissions.allow()}} for method > {{MeshIterator.getCurrent()}}, is falling through to the end and returning > {{explicit[0]}}, which happens to be {{false}}. It looks like this comes from > {{wildcardAllow(Class clazz)}}, which eventually calls > {{wildcardAllow(Set allowed, String name)}}. There's what I presume > to be a set of allowed packages. Is that new? Do we have to explicitly > provide a list of allowed packages for property discovery via reflection now? > To reproduce this: > # Clone [Guise Mummy > 0.5.3|https://github.com/globalmentor/guise-mummy/releases/tag/v0.5.3]. > # In the overall project {{pom.xml}}, change the version of > {{org.apache.commons:commons-jexl3}} from {{3.1}} to > {{3.3-SNAPSHOT}}. (You'll also need to add the > {{https://repository.apache.org/content/repositories/snapshots/}} repository > in the POM.) > # Run {{mvn clean verify}}. > You'll see that {{io.guise.mesh.GuiseMeshTest.testMxEachWithIterVar()}} will > fail because {{iter.current}} can't be found. -- This message was sent by Atlassian Jira (v8.20.10#820010)