Velocity property warning fixes

.github/workflows/codeql-analysis.yml

@@ -40,9 +40,6 @@ jobs:
       with:
         java-version: 11
 
-    - name: Build with Maven
-      run: mvn -DskipTests=true install
-
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1
@@ -53,21 +50,8 @@ jobs:
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
+    - name: Build with Maven
+      run: mvn -DskipTests=true -V -ntp install
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v1

app/src/main/java/org/apache/roller/planet/tasks/GeneratePlanetTask.java

@@ -40,7 +40,7 @@
  */
 public class GeneratePlanetTask extends PlanetTask {
 
-    private static Log log = LogFactory.getLog(GeneratePlanetTask.class);
+    private static final Log log = LogFactory.getLog(GeneratePlanetTask.class);
 
 
     @Override
@@ -68,7 +68,7 @@ public void run() {
 
             // Fire up Velocity engine, point it at templates and init
             VelocityEngine engine = new VelocityEngine();
-            engine.setProperty("resource.loader","file");
+            engine.setProperty("resource.loaders", "file");
             engine.setProperty("file.resource.loader.class",
               "org.apache.velocity.runtime.resource.loader.FileResourceLoader");
             engine.setProperty("file.resource.loader.path", templateDir);

app/src/main/java/org/apache/roller/weblogger/ui/rendering/mobile/MobileDeviceRepository.java

@@ -17,24 +17,24 @@
  */
 package org.apache.roller.weblogger.ui.rendering.mobile;
 
+import java.util.regex.Pattern;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import static org.apache.roller.weblogger.ui.rendering.mobile.MobileDeviceRepository.DeviceType.*;
 
 public class MobileDeviceRepository {
 
-    private static Log log = LogFactory.getLog(MobileDeviceRepository.class);
 
     public enum DeviceType {
         standard, mobile
     }
 
-    public static final String POSSIBLE_DEVICES_1 = ".*(android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)"
+    public static final Pattern POSSIBLE_DEVICES_1 = Pattern.compile(".*(android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)"
             + "|iris|kindle|lge |maemo|midp|mmp|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\\\\/|"
-            + "plucker|pocket|psp|symbian|treo|up\\\\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino).*";
-    public static final String POSSIBLE_DEVICES_2 = "\"1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\\\\-)|"
+            + "plucker|pocket|psp|symbian|treo|up\\\\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino).*");
+
+    public static final Pattern POSSIBLE_DEVICES_2 = Pattern.compile("\"1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\\\\-)|"
             + "ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\\\\-m|r |s )|"
             + "avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\\\\-(n|u)|c55\\\\/|capi|ccwa|cdm\\\\-|"
             + "cell|chtm|cldc|cmd\\\\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\\\\-s|devi|dica|dmob|do(c|p)o|ds(12|\\\\-d)|"
@@ -53,7 +53,8 @@ public enum DeviceType {
             + "ta(gt|lk)|tcl\\\\-|tdg\\\\-|tel(i|m)|tim\\\\-|t\\\\-mo|to(pl|sh)|ts(70|m\\\\-|m3|m5)|tx\\\\-9|"
             + "up(\\\\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\\\\-v)|vm40|voda|vulc|"
             + "vx(52|53|60|61|70|80|81|83|85|98)|w3c(\\\\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|xda(\\\\-|2|g)|"
-            + "yas\\\\-|your|zeto|zte\\\\-";
+            + "yas\\\\-|your|zeto|zte\\\\-");
+
     public static final String USER_REQUEST_TYPE = "roller_user_request_type";
     public static final String USER_AGENT_PARAMETER = "deviceType";
 
@@ -67,45 +68,35 @@ public enum DeviceType {
     public static boolean isMobileDevice(HttpServletRequest request) {
         String userAgent = request.getHeader("User-Agent");
         if (userAgent != null) {
-            userAgent = request.getHeader("User-Agent").toLowerCase();
-
-            try {
-                return (userAgent.matches(POSSIBLE_DEVICES_1) || userAgent
-                        .substring(0, 4).matches(POSSIBLE_DEVICES_2));
-            } catch (StringIndexOutOfBoundsException e) {
-                // invalid device
-                log.error("ERROR invalid userAgent type : " + userAgent);
-                return false;
-            }
+            userAgent = userAgent.toLowerCase();
 
+            return POSSIBLE_DEVICES_1.matcher(userAgent).matches()
+                || (userAgent.length() >= 4 &&
+                    POSSIBLE_DEVICES_2.matcher(userAgent.substring(0, 4)).matches());
         }
         return false;
     }
 
     public static DeviceType getRequestType(HttpServletRequest request) {
-        DeviceType type = DeviceType.standard;
 
         String deviceTypeParam = request.getParameter(USER_AGENT_PARAMETER);
         if (deviceTypeParam != null) {
-            return deviceTypeParam.trim().equals("standard") ? DeviceType.standard
-                    : DeviceType.mobile;
+            return deviceTypeParam.trim().equals("standard") ? standard : mobile;
         }
 
-        String cookie = getCookieValue(request.getCookies(), USER_REQUEST_TYPE,
-                null);
+        String cookie = getCookieValue(request.getCookies(), USER_REQUEST_TYPE, null);
         if (cookie != null) {
-            return cookie.equals("standard") ? DeviceType.standard
-                    : DeviceType.mobile;
+            return cookie.equals("standard") ? standard : mobile;
         }
 
         if (isMobileDevice(request)) {
-            type = DeviceType.mobile;
+            return mobile;
         }
-        return type;
+
+        return standard;
     }
 
-    private static String getCookieValue(Cookie[] cookies, String cookieName,
-            String defaultValue) {
+    private static String getCookieValue(Cookie[] cookies, String cookieName, String defaultValue) {
         if (cookies != null) {
             for (Cookie cookie : cookies) {
                 if (cookieName.equals(cookie.getName())) {

app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/RollerVelocity.java

@@ -63,10 +63,10 @@ public class RollerVelocity {
 
             // Override for theme reloading
             if (themeReload) {
-                velocityProps.setProperty("class.resource.loader.cache", "false");
-                velocityProps.setProperty("class.resource.loader.modificationCheckInterval", "2");
-                velocityProps.setProperty("webapp.resource.loader.cache", "false");
-                velocityProps.setProperty("webapp.resource.loader.modificationCheckInterval", "2");
+                velocityProps.setProperty("resource.loader.class.cache", "false");
+                velocityProps.setProperty("resource.loader.class.modification_check_interval", "2");
+                velocityProps.setProperty("resource.loader.webapp.cache", "false");
+                velocityProps.setProperty("resource.loader.webapp.modification_check_interval", "2");
                 velocityProps.setProperty("velocimacro.library.autoreload", "true");
             }
 

app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/WebappResourceLoader.java

@@ -49,15 +49,15 @@
  * 
  * The default search path is '/' (relative to the webapp root), but you can
  * change this behaviour by specifying one or more paths by mean of as many
- * webapp.resource.loader.path properties as needed in the velocity.properties
+ * resource.loader.webapp.path properties as needed in the velocity.properties
  * file.
  * 
  * All paths must be relative to the root of the webapp.
  * 
- * To enable caching and cache refreshing the webapp.resource.loader.cache and
- * webapp.resource.loader.modificationCheckInterval properties need to be set in
+ * To enable caching and cache refreshing the resource.loader.webapp.cache and
+ * resource.loader.webapp.modification_check_interval properties need to be set in
  * the velocity.properties file ... auto-reloading of global macros requires the
- * webapp.resource.loader.cache property to be set to 'false'.
+ * resource.loader.webapp.cache property to be set to 'false'.
  * 
  */
 public class WebappResourceLoader extends ResourceLoader {

app/src/main/resources/log4j2.xml

@@ -70,7 +70,7 @@ limitations under the License.
 
         <!-- roller.log; everything not defined here will end up in server.log -->
         <Logger name="org.apache.roller"       level="info"  additivity="false"> <AppenderRef ref="asyncRoller"/> </Logger>
-        <Logger name="org.apache.velocity"     level="error" additivity="false"> <AppenderRef ref="asyncRoller"/> </Logger>
+        <Logger name="org.apache.velocity"     level="info"  additivity="false"> <AppenderRef ref="asyncRoller"/> </Logger>
         <Logger name="org.springframework"     level="info"  additivity="false"> <AppenderRef ref="asyncRoller"/> </Logger>
         <Logger name="org.apache.struts2"      level="info"  additivity="false"> <AppenderRef ref="asyncRoller"/> </Logger>
         <Logger name="org.openid4java"         level="info"  additivity="false"> <AppenderRef ref="asyncRoller"/> </Logger>

app/src/main/webapp/WEB-INF/jsps/tiles/search.jsp

@@ -34,7 +34,7 @@
         style="margin: 0; padding: 0" onsubmit="return validateSearch(this)">
         <input type="text" id="q" name="q" size="20"
             maxlength="255" value="<c:out value="${param.q}" />" />
-        <input value="&nbsp;�&nbsp;" class="searchButton" type="submit">
+        <input value="&nbsp;»&nbsp;" class="searchButton" type="submit">
      </form>
      <script type="text/javascript"> 
         // <!--

app/src/main/webapp/WEB-INF/velocity.properties

@@ -15,34 +15,34 @@
 # directory of this distribution.
 
 # specify resource loaders to use
-resource.loader = webapp, theme, roller, class
+resource.loaders = webapp, theme, roller, class
 
 # theme resource loader
-theme.resource.loader.public.name=theme
-theme.resource.loader.description=Roller Theme Resource Loader
-theme.resource.loader.class=org.apache.roller.weblogger.ui.rendering.velocity.ThemeResourceLoader
-theme.resource.loader.cache=false
-theme.resource.loader.modificationCheckInterval=60
+resource.loader.theme.public.name=theme
+resource.loader.theme.description=Roller Theme Resource Loader
+resource.loader.theme.class=org.apache.roller.weblogger.ui.rendering.velocity.ThemeResourceLoader
+resource.loader.theme.cache=false
+resource.loader.theme.modification_check_interval=60
 
 # for the loader we call 'roller', use the RollerResourceLoader
-roller.resource.loader.public.name=roller
-roller.resource.loader.description=Roller Main Resource Loader
-roller.resource.loader.class=org.apache.roller.weblogger.ui.rendering.velocity.RollerResourceLoader
-roller.resource.loader.cache=false
-roller.resource.loader.modificationCheckInterval=60
+resource.loader.roller.public.name=roller
+resource.loader.roller.description=Roller Main Resource Loader
+resource.loader.roller.class=org.apache.roller.weblogger.ui.rendering.velocity.RollerResourceLoader
+resource.loader.roller.cache=false
+resource.loader.roller.modification_check_interval=60
 
 # for the loader we call 'class', use the ClasspathResourceLoader
-class.resource.loader.description = Velocity Classpath Resource Loader
-class.resource.loader.class = org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
-class.resource.loader.cache=true
-class.resource.loader.modificationCheckInterval=60
+resource.loader.class.description = Velocity Classpath Resource Loader
+resource.loader.class.class = org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
+resource.loader.class.cache=true
+resource.loader.class.modification_check_interval=60
 
 # for the loader we call 'webapp', use the WebappResourceLoader
-webapp.resource.loader.description=Webapp Resource Loader
-webapp.resource.loader.class=org.apache.roller.weblogger.ui.rendering.velocity.WebappResourceLoader
-webapp.resource.loader.cache=true
-webapp.resource.loader.path=/WEB-INF/velocity,/WEB-INF/velocity/templates,/WEB-INF/velocity/templates/feeds,templates/weblog,templates/planet
-webapp.resource.loader.modificationCheckInterval=60
+resource.loader.webapp.description=Webapp Resource Loader
+resource.loader.webapp.class=org.apache.roller.weblogger.ui.rendering.velocity.WebappResourceLoader
+resource.loader.webapp.cache=true
+resource.loader.webapp.path=/WEB-INF/velocity,/WEB-INF/velocity/templates,/WEB-INF/velocity/templates/feeds,templates/weblog,templates/planet
+resource.loader.webapp.modification_check_interval=60
 
 # log invalid template references?
 # set this to false to have a quieter velocity.log
@@ -52,22 +52,24 @@ runtime.log.invalid.reference=false
 runtime.log.logsystem.class=org.apache.velocity.runtime.log.SimpleLog4JLogSystem
 runtime.log.logsystem.log4j.category=org.apache.velocity
 
+# modern JVMs have fast deduplication
+runtime.string_interning=false
+
 # Override the default global library, set to blank to load no default
-velocimacro.library = weblog.vm,feeds.vm,roller-custom.vm
+velocimacro.library.path = weblog.vm,feeds.vm,roller-custom.vm
 
-# See RollerVelocity for reloading "webapp.resource.loader.path" files via WebappResourceLoader settings
+# See RollerVelocity for reloading "resource.loader.webapp.path" files via WebappResourceLoader settings
 velocimacro.library.autoreload=false
 
 # Allow Velocimacros to be defined in regular templates
-velocimacro.permissions.allow.inline=true
+velocimacro.inline.allow=true
 
 # Allow template authors to define macros in any template
-velocimacro.permissions.allow.inline.local.scope=false
+velocimacro.inline.local_scope=false
 
 # set encoding/charset to UTF-8
-input.encoding=UTF-8
-output.encoding=UTF-8
+resource.default_encoding=UTF-8
 default.contentType=text/html; charset=utf-8
 
-runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
+introspector.uberspect.class=org.apache.velocity.util.introspection.SecureUberspector
 

app/src/main/webapp/WEB-INF/web.xml

@@ -449,6 +449,9 @@
 
     <session-config>
         <session-timeout>30</session-timeout>
+        <cookie-config>
+            <http-only>true</http-only> <!-- prohibit JS access -->
+        </cookie-config>
     </session-config>
 
     <welcome-file-list>

app/src/test/resources/WEB-INF/velocity.properties

@@ -15,33 +15,33 @@
 # directory of this distribution.
 
 # specify resource loaders to use
-resource.loader = webapp, theme, roller, class
+resource.loaders = webapp, theme, roller, class
 
 # theme resource loader
-theme.resource.loader.public.name=theme
-theme.resource.loader.description=Roller Theme Resource Loader
-theme.resource.loader.class=org.apache.roller.weblogger.ui.rendering.velocity.ThemeResourceLoader
-theme.resource.loader.cache=false
-theme.resource.loader.modificationCheckInterval=2
+resource.loader.theme.public.name=theme
+resource.loader.theme.description=Roller Theme Resource Loader
+resource.loader.theme.class=org.apache.roller.weblogger.ui.rendering.velocity.ThemeResourceLoader
+resource.loader.theme.cache=false
+resource.loader.theme.modification_check_interval=2
 
 # for the loader we call 'roller', use the RollerResourceLoader
-roller.resource.loader.public.name=roller
-roller.resource.loader.description=Roller Main Resource Loader
-roller.resource.loader.class=org.apache.roller.weblogger.ui.rendering.velocity.RollerResourceLoader
-roller.resource.loader.cache=false
-roller.resource.loader.modificationCheckInterval=2
+resource.loader.roller.public.name=roller
+resource.loader.roller.description=Roller Main Resource Loader
+resource.loader.roller.class=org.apache.roller.weblogger.ui.rendering.velocity.RollerResourceLoader
+resource.loader.roller.cache=false
+resource.loader.roller.modification_check_interval=2
 
 # for the loader we call 'class', use the ClasspathResourceLoader
-class.resource.loader.description = Velocity Classpath Resource Loader
-class.resource.loader.class = org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
-class.resource.loader.cache=true
-class.resource.loader.modificationCheckInterval=60
+resource.loader.class.description = Velocity Classpath Resource Loader
+resource.loader.class.class = org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
+resource.loader.class.cache=true
+resource.loader.class.modification_check_interval=60
 
 # for the loader we call 'webapp', use the WebappResourceLoader
-webapp.resource.loader.description = Roller Webapp Resource Loader
-webapp.resource.loader.class = org.apache.roller.weblogger.ui.rendering.velocity.WebappResourceLoader
-webapp.resource.loader.cache=true
-webapp.resource.loader.modificationCheckInterval=60
+resource.loader.webapp.description = Roller Webapp Resource Loader
+resource.loader.webapp.class = org.apache.roller.weblogger.ui.rendering.velocity.WebappResourceLoader
+resource.loader.webapp.cache=true
+resource.loader.webapp.modification_check_interval=60
 
 # log invalid template references?
 # set this to false to have a quieter velocity.log
@@ -51,20 +51,22 @@ runtime.log.invalid.reference=false
 runtime.log.logsystem.class=org.apache.velocity.runtime.log.SimpleLog4JLogSystem
 runtime.log.logsystem.log4j.category=org.apache.velocity
 
+# modern JVMs have fast deduplication
+runtime.string_interning=false
+
 # Override the default global library, set to blank to load no default
-velocimacro.library = weblog.vm,feeds.vm,roller-custom.vm
+velocimacro.library.path = weblog.vm,feeds.vm,roller-custom.vm
 
 # Change to false for deployment environments.
 # Caching for the 'class' & 'webapp' ResourceLoaders must be false for this to work
 velocimacro.library.autoreload=true
 
 # Allow Velocimacros to be defined in regular templates
-velocimacro.permissions.allow.inline=true
+velocimacro.inline.allow=true
 
 # Allow template authors to define macros in any template
-velocimacro.permissions.allow.inline.local.scope=false
+velocimacro.inline.local_scope=false
 
 # set encoding/charset to UTF-8
-input.encoding=UTF-8
-output.encoding=UTF-8
+resource.default_encoding=UTF-8
 default.contentType=text/html; charset=utf-8