[jira] [Comment Edited] (JEXL-388) v3.3-SNAPSHOT doesn't find public getter as property

2022-11-30 Thread Garret Wilson (Jira) 


[ 
https://issues.apache.org/jira/browse/JEXL-388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17641437#comment-17641437
 ] 

Garret Wilson edited comment on JEXL-388 at 11/30/22 4:35 PM:
--

{quote}… to restrict what JEXL can see using permissions …{quote}

On the face of it that sounds reasonable. Where can I find the documentation 
for this, since this is a breaking change?

{quote}Btw, any comment on JEXL-342?{quote}

I'm not sure what comment you want. That was a feature request that is still 
open, even though a third party indicated they had added something to a 
modified fork of the library.

In any case JEXL is pretty much stuck at the same place it was years ago, since 
v3.2.1 is completely broken because of JEXL-387, v3.3 is not released, and 
[there will be no v3.2.2 to fix the 
bug|https://issues.apache.org/jira/browse/JEXL-387?focusedCommentId=17640302=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17640302].


was (Author: garretwilson):
{quote}… to restrict what JEXL can see using permissions …{quote}

On the face of it that sounds reasonable. Where can I find the documentation 
for this, since this is a breaking change?

{quote}Btw, any comment on JEXL-342?{quote}

I'm not sure what comment you want. That was a feature request that is still 
open, even though a third party indicated they had added something to a 
modified fork of the library.

> v3.3-SNAPSHOT doesn't find public getter as property
> 
>
> Key: JEXL-388
> URL: https://issues.apache.org/jira/browse/JEXL-388
> Project: Commons JEXL
>  Issue Type: Bug
>Affects Versions: 3.3
> Environment: Java 17; Windows 10
>Reporter: Garret Wilson
>Priority: Major
>
> In my [Guise Mummy|https://github.com/globalmentor/guise-mummy] static site 
> generator I'm using JEXL to interpret the built-in [Mesh Expression 
> Language|https://github.com/globalmentor/guise-mummy/tree/main/mesh] (MEXL). 
> Everything was working fine with JEXL 3.1. In fact the entire [Guise Mummy 
> web site|https://guise.io/mummy/] itself was produced using Guise Mummy with 
> MEXL on top of JEXL. But when I upgrade to JEXL 3.3-SNAPSHOT, a couple of 
> unit tests break. In particular, the new version doesn't seem to find a 
> public getter method on a custom public class as a property.
> In the Mesh templating, we have an {{mx:each}} attribute (similar to JSP or 
> Thymeleaf) which loops through and replicates some HTML element (e.g. an 
> {{}} inside an {{}}) for each value in a list. It assigns each value, 
> one at a time, to a variable {{it}} in the context. That is working fine. But 
> on each iteration it also assigns {{iter}} in the context, with the value 
> being an instance of 
> [{{MeshIterator}}|https://github.com/globalmentor/guise-mummy/blob/main/mesh/src/main/java/io/guise/mesh/MeshIterator.java].
>  That object has, among other things, {{getCurrent()}}:
> {code:java}
> /**
>  * Returns the current item. This will be the result of the last successful 
> call to {@link #next()}.
>  * @throws NoSuchElementException if iteration has not yet started.
>  * @return The current item.
>  */
> public Object getCurrent() { ... }
> {code}
> To make a long story short, the MEXL expression should be able to use 
> {{iter.current}} to get the value, but it's not finding it. I traced through 
> the new code, and it's finding the {{MeshIterator}} instance just fine and 
> assigning it to {{iter}}. The problem is that JEXL's {{ClassMap}} (probably 
> inside {{create()}}) is not finding and caching {{getCurrent()}} mapped to 
> the {{current}} property.
> It looks like {{Permissions.allow()}} for method 
> {{MeshIterator.getCurrent()}}, is falling through to the end and returning 
> {{explicit[0]}}, which happens to be {{false}}. It looks like this comes from 
> {{wildcardAllow(Class clazz)}}, which eventually calls 
> {{wildcardAllow(Set allowed, String name)}}. There's what I presume 
> to be a set of allowed packages. Is that new? Do we have to explicitly 
> provide a list of allowed packages for property discovery via reflection now?
> To reproduce this:
> # Clone [Guise Mummy 
> 0.5.3|https://github.com/globalmentor/guise-mummy/releases/tag/v0.5.3].
> # In the overall project {{pom.xml}}, change the version of 
> {{org.apache.commons:commons-jexl3}} from {{3.1}} to 
> {{3.3-SNAPSHOT}}. (You'll also need to add the 
> {{https://repository.apache.org/content/repositories/snapshots/}} repository 
> in the POM.)
> # Run {{mvn clean verify}}.
> You'll see that {{io.guise.mesh.GuiseMeshTest.testMxEachWithIterVar()}} will 
> fail because {{iter.current}} can't be found.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (JEXL-388) v3.3-SNAPSHOT doesn't find public getter as property

2022-11-29 Thread Henri Biestro (Jira) 


[ 
https://issues.apache.org/jira/browse/JEXL-388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17640643#comment-17640643
 ] 

Henri Biestro edited comment on JEXL-388 at 11/29/22 12:06 PM:
---

Current trunk default is to restrict what JEXL can see using permissions 
(JexlPermissions).
To revert to previous (security oblivious) setting:
{code}
JexlEngine jexl = new JexlBuilder() 
 ...permissions(JexlPermissions.UNRESTRICTED) .create();
{code}
Or more globall, before creating the builder:
{code}
JexlBuilder.setDefaultPermissions(JexlPermissions.UNRESTRICTED);
{code}
Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]?


was (Author: henrib):
Current trunk default is to restrict what JEXL can see using permissions 
(JexlPermissions).
To revert to previous (security oblivious) setting:
{code}
JexlEngine jexl = new JexlBuilder() 
 ...permissions(JexlPermissions.UNRESTRICTED) .create();
{code}

Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]?

> v3.3-SNAPSHOT doesn't find public getter as property
> 
>
> Key: JEXL-388
> URL: https://issues.apache.org/jira/browse/JEXL-388
> Project: Commons JEXL
>  Issue Type: Bug
>Affects Versions: 3.3
> Environment: Java 17; Windows 10
>Reporter: Garret Wilson
>Priority: Major
>
> In my [Guise Mummy|https://github.com/globalmentor/guise-mummy] static site 
> generator I'm using JEXL to interpret the built-in [Mesh Expression 
> Language|https://github.com/globalmentor/guise-mummy/tree/main/mesh] (MEXL). 
> Everything was working fine with JEXL 3.1. In fact the entire [Guise Mummy 
> web site|https://guise.io/mummy/] itself was produced using Guise Mummy with 
> MEXL on top of JEXL. But when I upgrade to JEXL 3.3-SNAPSHOT, a couple of 
> unit tests break. In particular, the new version doesn't seem to find a 
> public getter method on a custom public class as a property.
> In the Mesh templating, we have an {{mx:each}} attribute (similar to JSP or 
> Thymeleaf) which loops through and replicates some HTML element (e.g. an 
> {{}} inside an {{}}) for each value in a list. It assigns each value, 
> one at a time, to a variable {{it}} in the context. That is working fine. But 
> on each iteration it also assigns {{iter}} in the context, with the value 
> being an instance of 
> [{{MeshIterator}}|https://github.com/globalmentor/guise-mummy/blob/main/mesh/src/main/java/io/guise/mesh/MeshIterator.java].
>  That object has, among other things, {{getCurrent()}}:
> {code:java}
> /**
>  * Returns the current item. This will be the result of the last successful 
> call to {@link #next()}.
>  * @throws NoSuchElementException if iteration has not yet started.
>  * @return The current item.
>  */
> public Object getCurrent() { ... }
> {code}
> To make a long story short, the MEXL expression should be able to use 
> {{iter.current}} to get the value, but it's not finding it. I traced through 
> the new code, and it's finding the {{MeshIterator}} instance just fine and 
> assigning it to {{iter}}. The problem is that JEXL's {{ClassMap}} (probably 
> inside {{create()}}) is not finding and caching {{getCurrent()}} mapped to 
> the {{current}} property.
> It looks like {{Permissions.allow()}} for method 
> {{MeshIterator.getCurrent()}}, is falling through to the end and returning 
> {{explicit[0]}}, which happens to be {{false}}. It looks like this comes from 
> {{wildcardAllow(Class clazz)}}, which eventually calls 
> {{wildcardAllow(Set allowed, String name)}}. There's what I presume 
> to be a set of allowed packages. Is that new? Do we have to explicitly 
> provide a list of allowed packages for property discovery via reflection now?
> To reproduce this:
> # Clone [Guise Mummy 
> 0.5.3|https://github.com/globalmentor/guise-mummy/releases/tag/v0.5.3].
> # In the overall project {{pom.xml}}, change the version of 
> {{org.apache.commons:commons-jexl3}} from {{3.1}} to 
> {{3.3-SNAPSHOT}}. (You'll also need to add the 
> {{https://repository.apache.org/content/repositories/snapshots/}} repository 
> in the POM.)
> # Run {{mvn clean verify}}.
> You'll see that {{io.guise.mesh.GuiseMeshTest.testMxEachWithIterVar()}} will 
> fail because {{iter.current}} can't be found.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (JEXL-388) v3.3-SNAPSHOT doesn't find public getter as property

2022-11-29 Thread Henri Biestro (Jira) 


[ 
https://issues.apache.org/jira/browse/JEXL-388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17640643#comment-17640643
 ] 

Henri Biestro edited comment on JEXL-388 at 11/29/22 12:04 PM:
---

Current trunk default is to restrict what JEXL can see using permissions 
(JexlPermissions).
To revert to previous (security oblivious) setting:
{code}
JexlEngine jexl = new JexlBuilder() 
 ...permissions(JexlPermissions.UNRESTRICTED) .create();
{code}

Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]?


was (Author: henrib):
Current trunk default is to restrict what JEXL can see using permissions 
(JexlPermissions).
To revert to previous (security oblivious) setting:
{code}
JexlEngine jexl = new JexlBuilder()
.permissions(JexlPermissions.UNRESTRICTED)
.sandbox(sandbox)
.safe(false)
.strict(true)
.create();
{code}

Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]?

> v3.3-SNAPSHOT doesn't find public getter as property
> 
>
> Key: JEXL-388
> URL: https://issues.apache.org/jira/browse/JEXL-388
> Project: Commons JEXL
>  Issue Type: Bug
>Affects Versions: 3.3
> Environment: Java 17; Windows 10
>Reporter: Garret Wilson
>Priority: Major
>
> In my [Guise Mummy|https://github.com/globalmentor/guise-mummy] static site 
> generator I'm using JEXL to interpret the built-in [Mesh Expression 
> Language|https://github.com/globalmentor/guise-mummy/tree/main/mesh] (MEXL). 
> Everything was working fine with JEXL 3.1. In fact the entire [Guise Mummy 
> web site|https://guise.io/mummy/] itself was produced using Guise Mummy with 
> MEXL on top of JEXL. But when I upgrade to JEXL 3.3-SNAPSHOT, a couple of 
> unit tests break. In particular, the new version doesn't seem to find a 
> public getter method on a custom public class as a property.
> In the Mesh templating, we have an {{mx:each}} attribute (similar to JSP or 
> Thymeleaf) which loops through and replicates some HTML element (e.g. an 
> {{}} inside an {{}}) for each value in a list. It assigns each value, 
> one at a time, to a variable {{it}} in the context. That is working fine. But 
> on each iteration it also assigns {{iter}} in the context, with the value 
> being an instance of 
> [{{MeshIterator}}|https://github.com/globalmentor/guise-mummy/blob/main/mesh/src/main/java/io/guise/mesh/MeshIterator.java].
>  That object has, among other things, {{getCurrent()}}:
> {code:java}
> /**
>  * Returns the current item. This will be the result of the last successful 
> call to {@link #next()}.
>  * @throws NoSuchElementException if iteration has not yet started.
>  * @return The current item.
>  */
> public Object getCurrent() { ... }
> {code}
> To make a long story short, the MEXL expression should be able to use 
> {{iter.current}} to get the value, but it's not finding it. I traced through 
> the new code, and it's finding the {{MeshIterator}} instance just fine and 
> assigning it to {{iter}}. The problem is that JEXL's {{ClassMap}} (probably 
> inside {{create()}}) is not finding and caching {{getCurrent()}} mapped to 
> the {{current}} property.
> It looks like {{Permissions.allow()}} for method 
> {{MeshIterator.getCurrent()}}, is falling through to the end and returning 
> {{explicit[0]}}, which happens to be {{false}}. It looks like this comes from 
> {{wildcardAllow(Class clazz)}}, which eventually calls 
> {{wildcardAllow(Set allowed, String name)}}. There's what I presume 
> to be a set of allowed packages. Is that new? Do we have to explicitly 
> provide a list of allowed packages for property discovery via reflection now?
> To reproduce this:
> # Clone [Guise Mummy 
> 0.5.3|https://github.com/globalmentor/guise-mummy/releases/tag/v0.5.3].
> # In the overall project {{pom.xml}}, change the version of 
> {{org.apache.commons:commons-jexl3}} from {{3.1}} to 
> {{3.3-SNAPSHOT}}. (You'll also need to add the 
> {{https://repository.apache.org/content/repositories/snapshots/}} repository 
> in the POM.)
> # Run {{mvn clean verify}}.
> You'll see that {{io.guise.mesh.GuiseMeshTest.testMxEachWithIterVar()}} will 
> fail because {{iter.current}} can't be found.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (JEXL-388) v3.3-SNAPSHOT doesn't find public getter as property

2022-11-29 Thread Henri Biestro (Jira) 


[ 
https://issues.apache.org/jira/browse/JEXL-388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17640643#comment-17640643
 ] 

Henri Biestro edited comment on JEXL-388 at 11/29/22 12:03 PM:
---

Current trunk default is to restrict what JEXL can see using permissions 
(JexlPermissions).
To revert to previous (security oblivious) setting:
{code}
JexlEngine jexl = new JexlBuilder()
.permissions(JexlPermissions.UNRESTRICTED)
.sandbox(sandbox)
.safe(false)
.strict(true)
.create();
{code}

Btw, any comment on [JEXL-342|https://issues.apache.org/jira/browse/JEXL-342]?


was (Author: henrib):
Current trunk default is to restrict what JEXL can see using permissions 
(JexlPermissions).
To revert to previous (security oblivious) setting:
{code}
JexlEngine jexl = new JexlBuilder()
.permissions(JexlPermissions.UNRESTRICTED)
.sandbox(sandbox)
.safe(false)
.strict(true)
.create();
{code}

> v3.3-SNAPSHOT doesn't find public getter as property
> 
>
> Key: JEXL-388
> URL: https://issues.apache.org/jira/browse/JEXL-388
> Project: Commons JEXL
>  Issue Type: Bug
>Affects Versions: 3.3
> Environment: Java 17; Windows 10
>Reporter: Garret Wilson
>Priority: Major
>
> In my [Guise Mummy|https://github.com/globalmentor/guise-mummy] static site 
> generator I'm using JEXL to interpret the built-in [Mesh Expression 
> Language|https://github.com/globalmentor/guise-mummy/tree/main/mesh] (MEXL). 
> Everything was working fine with JEXL 3.1. In fact the entire [Guise Mummy 
> web site|https://guise.io/mummy/] itself was produced using Guise Mummy with 
> MEXL on top of JEXL. But when I upgrade to JEXL 3.3-SNAPSHOT, a couple of 
> unit tests break. In particular, the new version doesn't seem to find a 
> public getter method on a custom public class as a property.
> In the Mesh templating, we have an {{mx:each}} attribute (similar to JSP or 
> Thymeleaf) which loops through and replicates some HTML element (e.g. an 
> {{}} inside an {{}}) for each value in a list. It assigns each value, 
> one at a time, to a variable {{it}} in the context. That is working fine. But 
> on each iteration it also assigns {{iter}} in the context, with the value 
> being an instance of 
> [{{MeshIterator}}|https://github.com/globalmentor/guise-mummy/blob/main/mesh/src/main/java/io/guise/mesh/MeshIterator.java].
>  That object has, among other things, {{getCurrent()}}:
> {code:java}
> /**
>  * Returns the current item. This will be the result of the last successful 
> call to {@link #next()}.
>  * @throws NoSuchElementException if iteration has not yet started.
>  * @return The current item.
>  */
> public Object getCurrent() { ... }
> {code}
> To make a long story short, the MEXL expression should be able to use 
> {{iter.current}} to get the value, but it's not finding it. I traced through 
> the new code, and it's finding the {{MeshIterator}} instance just fine and 
> assigning it to {{iter}}. The problem is that JEXL's {{ClassMap}} (probably 
> inside {{create()}}) is not finding and caching {{getCurrent()}} mapped to 
> the {{current}} property.
> It looks like {{Permissions.allow()}} for method 
> {{MeshIterator.getCurrent()}}, is falling through to the end and returning 
> {{explicit[0]}}, which happens to be {{false}}. It looks like this comes from 
> {{wildcardAllow(Class clazz)}}, which eventually calls 
> {{wildcardAllow(Set allowed, String name)}}. There's what I presume 
> to be a set of allowed packages. Is that new? Do we have to explicitly 
> provide a list of allowed packages for property discovery via reflection now?
> To reproduce this:
> # Clone [Guise Mummy 
> 0.5.3|https://github.com/globalmentor/guise-mummy/releases/tag/v0.5.3].
> # In the overall project {{pom.xml}}, change the version of 
> {{org.apache.commons:commons-jexl3}} from {{3.1}} to 
> {{3.3-SNAPSHOT}}. (You'll also need to add the 
> {{https://repository.apache.org/content/repositories/snapshots/}} repository 
> in the POM.)
> # Run {{mvn clean verify}}.
> You'll see that {{io.guise.mesh.GuiseMeshTest.testMxEachWithIterVar()}} will 
> fail because {{iter.current}} can't be found.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)