Kusal experimental

Author: kusalk

core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java

@@ -109,6 +109,11 @@ public void setValueSubstitutor(ValueSubstitutor valueSubstitutor) {
         this.valueSubstitutor = valueSubstitutor;
     }
 
+    @Inject
+    public void setProviderAllowlist(ProviderAllowlist providerAllowlist) {
+        this.providerAllowlist = providerAllowlist;
+    }
+
     public XmlDocConfigurationProvider(Document... documents) {
         this.documents = Arrays.asList(documents);
     }
@@ -135,11 +140,6 @@ public void init(Configuration configuration) {
         this.configuration = configuration;
     }
 
-    private void registerAllowlist() {
-        providerAllowlist = configuration.getContainer().getInstance(ProviderAllowlist.class);
-        providerAllowlist.registerAllowlist(this, allowlistClasses);
-    }
-
     @Override
     public void destroy() {
         if (providerAllowlist != null) {
@@ -152,6 +152,7 @@ protected Class<?> allowAndLoadClass(String className) throws ClassNotFoundExcep
         allowlistClasses.add(clazz);
         allowlistClasses.addAll(ClassUtils.getAllSuperclasses(clazz));
         allowlistClasses.addAll(ClassUtils.getAllInterfaces(clazz));
+        providerAllowlist.registerAllowlist(this, allowlistClasses);
         return clazz;
     }
 
@@ -333,7 +334,6 @@ public void loadPackages() throws ConfigurationException {
         }
 
         declaredPackages.clear();
-        registerAllowlist();
         configuration = null;
     }
 

core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java

@@ -859,23 +859,14 @@ protected Map<String, Object> createDefaultContext(Object root) {
         return createDefaultContext(root, null);
     }
 
-    /**
-     * Note that the allowlist capability is not enforced by the {@link OgnlContext} returned by this method. Currently,
-     * this context is only leveraged by some public methods on {@link OgnlUtil} which are called by
-     * {@link OgnlReflectionProvider}.
-     */
     protected Map<String, Object> createDefaultContext(Object root, ClassResolver resolver) {
         if (resolver == null) {
             resolver = container.getInstance(RootAccessor.class);
             if (resolver == null) {
                 throw new IllegalStateException("Cannot find ClassResolver");
             }
         }
-
-        SecurityMemberAccess memberAccess = container.getInstance(SecurityMemberAccess.class);
-        memberAccess.useEnforceAllowlistEnabled(Boolean.FALSE.toString());
-
-        return Ognl.createDefaultContext(root, memberAccess, resolver, defaultConverter);
+        return Ognl.createDefaultContext(root, container.getInstance(SecurityMemberAccess.class), resolver, defaultConverter);
     }
 
     @FunctionalInterface

core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java

@@ -479,6 +479,12 @@ public void useExcludedPackageExemptClasses(String commaDelimitedClasses) {
     @Inject(value = StrutsConstants.STRUTS_ALLOWLIST_ENABLE, required = false)
     public void useEnforceAllowlistEnabled(String enforceAllowlistEnabled) {
         this.enforceAllowlistEnabled = BooleanUtils.toBoolean(enforceAllowlistEnabled);
+        if (!this.enforceAllowlistEnabled) {
+            String msg = "OGNL allowlist is disabled!" +
+                    " We strongly recommend keeping it enabled to protect against critical vulnerabilities." +
+                    " Set the configuration `{}=true` to enable it.";
+            LOG.warn(msg, StrutsConstants.STRUTS_ALLOWLIST_ENABLE);
+        }
     }
 
     @Inject(value = STRUTS_ALLOWLIST_CLASSES, required = false)