OGNL
{{ Infobox software
| name = OGNL
| screenshot =
| caption =
| developer = OGNL Technology
| latest release version = 3.0.8
| latest release date = {{release date|2013|09|24}}
| operating system = Cross-platform
| platform = Java Virtual Machine
| programming language = Java
| genre = Expression Language (EL)
| license = BSD License
| website = http://commons.apache.org/ognl/
}}
Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting properties (through defined setProperty and getProperty methods, found in JavaBeans), and execution of methods of Java classes. It also allows for simpler array manipulation.
It is aimed to be used in Java EE applications with taglibs as expression language.
OGNL was created by Luke Blanshard and Drew Davidson of OGNL Technology.{{citation |url=http://www.ognl.org/ |title=ognl.org| archiveurl=https://web.archive.org/web/20081025020323/http://www.ognl.org/ |archivedate=25 October 2008 |work=OGNL Technology, Inc|accessdate=5 November 2013}} OGNL development was continued by OpenSymphony, which closed in 2011.{{cite web|title=OpenSymphony, RIP (2000 - 2011)|url=http://www.opensymphony.com/|work=Open Symphony|accessdate=1 June 2011|url-status=dead|archiveurl=https://web.archive.org/web/20130905011554/http://www.opensymphony.com/|archivedate=5 September 2013}} OGNL is developed now as a part of the Apache Commons.
OGNL Technology
OGNL began as a way to map associations between front-end components and back-end objects using property names. As these associations gathered more features, Drew Davidson created Key-Value Coding language (KVCL). Luke Blanshard then reimplemented KVCL using ANTLR and started using the name OGNL. The technology was again reimplemented using the Java Compiler Compiler (JavaCC).
OGNL uses Java reflection and introspection to address the Object Graph of the runtime application. This allows the program to change behavior based on the state of the object graph instead of relying on compile time settings. It also allows changes to the object graph.
Projects using OGNL
- WebWork and its successor Struts2
- Tapestry (4 and earlier)
- Spring Web Flow
- Apache Click
- MyBatis - SQL mapper framework
- The Thymeleaf - A Java XML/XHTML/HTML5 template engine
- FreeMarker - A Java template engine
OGNL security issues
Due to its ability to create or change executable code, OGNL is capable of introducing critical security flaws to any framework that uses it.{{citation needed|date=September 2017}} Multiple Apache Struts 2 versions have been vulnerable to OGNL security flaws.{{cite web |url=https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html |title=Apache Struts : List of security vulnerabilities |website=cvedetails.com |accessdate=October 2, 2017}} As of October 2017, the recommended version of Struts 2 is 2.5.13.{{cite web |url=https://struts.apache.org/downloads.html |title=Apache Struts Releases |website=struts.apache.org |accessdate=October 2, 2017}} Users are urged to upgrade to the latest version, as older revisions have documented security vulnerabilities — for example, Struts 2 versions 2.3.5 through 2.3.31, and 2.5 through 2.5.10, allow remote attackers to execute arbitrary code.{{cite web |url=https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ |title=Critical vulnerability under "massive" attack imperils high-impact sites [Updated] |first=Dan |last=Goodin |website=Ars Technica |date=March 9, 2017 |accessdate=October 2, 2017}} Atlassian Confluence has repeatedly{{Cite web|title=[CONFSERVER-67940] Confluence Server Webwork OGNL injection - CVE-2021-26084 - Create and track feature requests for Atlassian products.|url=https://jira.atlassian.com/browse/CONFSERVER-67940|access-date=2021-10-18|website=jira.atlassian.com}}{{Cite web|title=[CONFSERVER-79000] Unauthenticated remote code execution vulnerability via OGNL template injection (CVE-2022-26134)|url=https://jira.atlassian.com/browse/CONFSERVER-79000|access-date=2022-06-03|website=jira.atlassian.com}} been affected by OGNL security issues that allowed arbitrary remote code execution, and required all users to update.
See also
{{Portal|Computer programming|Free and open-source software}}
External links
- [https://github.com/jkuhnert/ognl OGNL 3.x maintenance branch]
- [http://commons.apache.org/ognl/ OGNL 4.x Homepage (Apache)]
- [http://www.securityfocus.com/bid/60346 Apache Struts CVE-2013-2134 OGNL Expression Injection Vulnerability]