You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by he...@apache.org on 2011/11/03 11:03:48 UTC
svn commit: r1197040 - in /commons/proper/jexl/trunk: RELEASE-NOTES.txt
src/site/xdoc/changes.xml
src/test/java/org/apache/commons/jexl2/SandboxTest.java
Author: henrib
Date: Thu Nov 3 10:03:47 2011
New Revision: 1197040
URL: http://svn.apache.org/viewvc?rev=1197040&view=rev
Log:
Updated changes and release notes;
Added a sandbox test (protect call to System, etc)
Modified:
commons/proper/jexl/trunk/RELEASE-NOTES.txt
commons/proper/jexl/trunk/src/site/xdoc/changes.xml
commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java
Modified: commons/proper/jexl/trunk/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/RELEASE-NOTES.txt?rev=1197040&r1=1197039&r2=1197040&view=diff
==============================================================================
--- commons/proper/jexl/trunk/RELEASE-NOTES.txt (original)
+++ commons/proper/jexl/trunk/RELEASE-NOTES.txt Thu Nov 3 10:03:47 2011
@@ -41,9 +41,10 @@ What's new in 2.1:
* A more thorough arithmetic (JexlArithmetic) that allows fine control over decimals (scale and precision), a
new syntax for numeric literals (OGNL inspired Big and Huge notations) and a better type handling keeping the most
appropriate representation in casual operations.
-* The introduction of script variables and parameters that reduce context dependencies and methods that allow some
- checks performed after script creation (light static checking hints). Plus the ability to call script from scripts.
+* The introduction of script variables and parameters that reduce context dependencies and methods; this allows to
+ perform checks after script creation (light static checking hints). Plus the ability to call script from scripts.
* A sandoxing feature to restrict and rename what JEXL can access from the environment allowing tighter control over security.
+* Extensions to UnifiedJEXL that allow the creation of templates.
New features in 2.1:
====================
@@ -52,6 +53,8 @@ New features in 2.1:
* JEXL-118: Provide an IN operator
* JEXL-115: Add support for asynchronous script execution and cancellation
* JEXL-116: Add control over classes, methods, constructors and properties allowed in scripts
+* JEXL-120: Add simple template features
+* JEXL-119: Allow indexed properties container resolution in expressions
* JEXL-106: When divide two BigDecimal values in an expression it results in java.lang.ArithmeticException
* JEXL-102: Add "jexl2" as a supported name
Modified: commons/proper/jexl/trunk/src/site/xdoc/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/src/site/xdoc/changes.xml?rev=1197040&r1=1197039&r2=1197040&view=diff
==============================================================================
--- commons/proper/jexl/trunk/src/site/xdoc/changes.xml (original)
+++ commons/proper/jexl/trunk/src/site/xdoc/changes.xml Thu Nov 3 10:03:47 2011
@@ -26,6 +26,12 @@
</properties>
<body>
<release version="2.1" date="unreleased">
+ <action dev="henrib" type="add" issue="JEXL-121">
+ Add simple template features
+ </action>
+ <action dev="henrib" type="fix" issue="JEXL-120" due-to="Lukas Krecan">
+ Make ParseException work in sandboxed environment
+ </action>
<action dev="henrib" type="add" issue="JEXL-119">
Allow indexed properties container resolution in expressions
</action>
Modified: commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java
URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java?rev=1197040&r1=1197039&r2=1197040&view=diff
==============================================================================
--- commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java (original)
+++ commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java Thu Nov 3 10:03:47 2011
@@ -193,7 +193,7 @@ public class SandboxTest extends JexlTes
script = sjexl.createScript(expr, "foo");
result = script.execute(null, foo);
assertEquals(foo.alias, result);
-
+
script = sjexl.createScript("foo.ALIAS", "foo");
result = script.execute(null, foo);
assertEquals(foo.alias, result);
@@ -216,4 +216,43 @@ public class SandboxTest extends JexlTes
assertEquals("43", result);
assertEquals("43", foo.alias);
}
+
+ public void testRestrict() throws Exception {
+ JexlContext context = new MapContext();
+ context.set("System", System.class);
+ Sandbox sandbox = new Sandbox();
+ // only allow call to currentTimeMillis (avoid exit, gc, loadLibrary, etc)
+ sandbox.white(System.class.getName()).execute("currentTimeMillis");
+ // can not create a new file
+ sandbox.black(java.io.File.class.getName()).execute("");
+
+ Uberspect uber = new SandboxUberspectImpl(null, sandbox);
+ JexlEngine sjexl = new JexlEngine(uber, null, null, null);
+ sjexl.setStrict(true);
+
+ String expr;
+ Script script;
+ Object result;
+
+ script = sjexl.createScript("System.exit()");
+ try {
+ result = script.execute(context);
+ fail("should not allow calling exit!");
+ } catch (JexlException xjexl) {
+ LOGGER.info(xjexl.toString());
+ }
+
+ script = sjexl.createScript("new('java.io.File', '/tmp/should-not-be-created')");
+ try {
+ result = script.execute(context);
+ fail("should not allow creating a file");
+ } catch (JexlException xjexl) {
+ LOGGER.info(xjexl.toString());
+ }
+
+ expr = "System.currentTimeMillis()";
+ script = sjexl.createScript("System.currentTimeMillis()");
+ result = script.execute(context);
+ assertNotNull(result);
+ }
}