SonarQube Plugins
  1. SonarQube Plugins
  2. SONARPLUGINS-1201

Struts tags suport: wrongly report Invalid OGNL Expression

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: WEB-1.1
    • Fix Version/s: WEB-1.2
    • Component/s: Web
    • Labels:
      None
    • Number of attachments :
      0

      Description

      SONARPLUGINS-1088 is okay now, but we got other issues:

      1, wrongly treat all JSTL tag as OGNL, for example: $

      {pageContext.request.contextPath}

      2, Cannot recognize all the OGNL surrounded by %{}

        Activity

        Hide
        Matthijs Galesloot added a comment -

        Hi Sean

        I might need some help because I am not an expert in OGNL and how it is used in Struts.

        Could you give an example of an unrecognized expression - surrounded by %{}. I do not understand why these are missed.

        Would it be OK to skip all expressions with ${ to avoid issue 1? Or should some expressions with ${ be parsed as OGNL?

        Show
        Matthijs Galesloot added a comment - Hi Sean I might need some help because I am not an expert in OGNL and how it is used in Struts. Could you give an example of an unrecognized expression - surrounded by %{}. I do not understand why these are missed. Would it be OK to skip all expressions with ${ to avoid issue 1? Or should some expressions with ${ be parsed as OGNL?
        Hide
        Sean Zou added a comment -

        Thanks for the quick response, Matthijs.

        %{} is supposed to get the string value of a field. for example:
        <s:hidden value="%

        {fieldname}

        " name="fieldname"/>
        from http://struts.apache.org/2.2.3/docs/ognl.html, there are more:
        <s:textfield name="username" label="%

        {#request.foo}

        " />
        <s:select label="label" name="name" list="

        {'name1','name2','name3'}

        " value="%

        {'name2'}

        " />

        Skip all the expressions with ${ should work for us, it is just used for JSTL EL.

        Show
        Sean Zou added a comment - Thanks for the quick response, Matthijs. %{} is supposed to get the string value of a field. for example: <s:hidden value="% {fieldname} " name="fieldname"/> from http://struts.apache.org/2.2.3/docs/ognl.html , there are more: <s:textfield name="username" label="% {#request.foo} " /> <s:select label="label" name="name" list=" {'name1','name2','name3'} " value="% {'name2'} " /> Skip all the expressions with ${ should work for us, it is just used for JSTL EL.
        Hide
        Matthijs Galesloot added a comment -

        New version implemented. Expressions starting with %{ or # are send to the OGNL parser for validation.

        Would you please validate the snapshot version of the plugin? It is available at: http://snapshots.repository.codehaus.org/org/codehaus/sonar-plugins/sonar-web-plugin/1.2-SNAPSHOT/sonar-web-plugin-1.2-20110608.065716-2.jar

        Show
        Matthijs Galesloot added a comment - New version implemented. Expressions starting with %{ or # are send to the OGNL parser for validation. Would you please validate the snapshot version of the plugin? It is available at: http://snapshots.repository.codehaus.org/org/codehaus/sonar-plugins/sonar-web-plugin/1.2-SNAPSHOT/sonar-web-plugin-1.2-20110608.065716-2.jar
        Hide
        Sean Zou added a comment -

        Thanks, Matthijs.
        We tried it, here are list of issues found:
        1, report Invalid OGNL Expression for html like:
        <a href="#" ></a>
        <form action="#" method="post">
        2, report Invalid OGNL Expression for :
        <s:textfield name="username" label="%

        {foo}-%{bar}" />
        <input type="text" name="#{foo}

        _#

        {bar}

        " />

        Show
        Sean Zou added a comment - Thanks, Matthijs. We tried it, here are list of issues found: 1, report Invalid OGNL Expression for html like: <a href="#" ></a> <form action="#" method="post"> 2, report Invalid OGNL Expression for : <s:textfield name="username" label="% {foo}-%{bar}" /> <input type="text" name="#{foo} _# {bar} " />
        Hide
        Matthijs Galesloot added a comment -

        Update: Expressions between %{} and #{} are sent to OGNL parser for validation. This also works for multiple expressions in an attribute value, such as "%

        {foo}

        -%

        {bar}

        ".

        New version available at http://snapshots.repository.codehaus.org/org/codehaus/sonar-plugins/sonar-web-plugin/1.2-SNAPSHOT/sonar-web-plugin-1.2-20110609.065246-3.jar

        Could you also advice me on an open source product using OGNL expressions that we can use for testing?

        Show
        Matthijs Galesloot added a comment - Update: Expressions between %{} and #{} are sent to OGNL parser for validation. This also works for multiple expressions in an attribute value, such as "% {foo} -% {bar} ". New version available at http://snapshots.repository.codehaus.org/org/codehaus/sonar-plugins/sonar-web-plugin/1.2-SNAPSHOT/sonar-web-plugin-1.2-20110609.065246-3.jar Could you also advice me on an open source product using OGNL expressions that we can use for testing?
        Hide
        Sean Zou added a comment -

        I guess you can test with shopizer and Apache roller:
        http://www.shopizer.com/download.html
        http://roller.apache.org/downloads.html

        Show
        Sean Zou added a comment - I guess you can test with shopizer and Apache roller: http://www.shopizer.com/download.html http://roller.apache.org/downloads.html
        Hide
        stephane Renou added a comment -

        Hello,
        is there any plan on generating a web 1.2 with that fix as the snapshot is reported not to be compliant with sonar 1.12

        Show
        stephane Renou added a comment - Hello, is there any plan on generating a web 1.2 with that fix as the snapshot is reported not to be compliant with sonar 1.12
        Hide
        Fabrice Bellingard added a comment -

        I fixed a last case which was not handled properly: when you have nested brackets, like in the following example:

        <mytag myattribute="%{'${somevariable}'}"/>
        

        As it now seems to fully work, I've included the rule in the default profile.

        Show
        Fabrice Bellingard added a comment - I fixed a last case which was not handled properly: when you have nested brackets, like in the following example: <mytag myattribute= "%{'${somevariable}'}" /> As it now seems to fully work, I've included the rule in the default profile.
        Hide
        Freddy Mallet added a comment -

        Manually tested !

        Show
        Freddy Mallet added a comment - Manually tested !

          People

          • Assignee:
            Fabrice Bellingard
            Reporter:
            Sean Zou
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: