You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by he...@apache.org on 2016/10/12 09:06:49 UTC
svn commit: r1764408 - in /commons/proper/jexl/trunk/src:
main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java
test/java/org/apache/commons/jexl3/introspection/SandboxTest.java
Author: henrib
Date: Wed Oct 12 09:06:49 2016
New Revision: 1764408
URL: http://svn.apache.org/viewvc?rev=1764408&view=rev
Log:
JEXL-219:
Adding explicit white/black listing flag for default behavior of sandbox
Modified:
commons/proper/jexl/trunk/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java
commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java
Modified: commons/proper/jexl/trunk/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java
URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java?rev=1764408&r1=1764407&r2=1764408&view=diff
==============================================================================
--- commons/proper/jexl/trunk/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java (original)
+++ commons/proper/jexl/trunk/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java Wed Oct 12 09:06:49 2016
@@ -46,35 +46,52 @@ import java.util.Set;
*
* <ul>
* <li><b>read</b> controls readable properties </li>
- * <li><b>write</b> controls writeable properties</li>
+ * <li><b>write</b> controls writable properties</li>
* <li><b>execute</b> controls executable methods and constructor</li>
* </ul>
*
- * <p>Note that a JexlUberspect allways uses a copy of the JexlSandbox used to built it to avoid synchronization and/or
+ * <p>Note that a JexlUberspect always uses a copy of the JexlSandbox used to built it to avoid synchronization and/or
* concurrent modifications at runtime.</p>
*
* @since 3.0
*/
public final class JexlSandbox {
-
/**
* The map from class names to permissions.
*/
private final Map<String, Permissions> sandbox;
+ /**
+ * Default behavior, black or white.
+ */
+ private final boolean white;
/**
* Creates a new default sandbox.
+ * <p>In the absence of explicit permissions on a class, the
+ * sandbox is a white-box, white-listing that class for all permissions (read, write and execute).
*/
public JexlSandbox() {
- this(new HashMap<String, Permissions>());
+ this(true, new HashMap<String, Permissions>());
+ }
+
+ /**
+ * Creates a new default sandbox.
+ * <p>A white-box considers no permissions as "e;everything is allowed"e; when
+ * a black-box considers no permissions as "e;nothing is allowed"e;.
+ * @param wb whether this sandbox is white (true) or black (false)
+ * if no permission is explicitly defined for a class.
+ */
+ public JexlSandbox(boolean wb) {
+ this(wb, new HashMap<String, Permissions>());
}
/**
* Creates a sandbox based on an existing permissions map.
- *
+ * @param wb whether this sandbox is white (true) or black (false)
* @param map the permissions map
*/
- protected JexlSandbox(Map<String, Permissions> map) {
+ private JexlSandbox(boolean wb, Map<String, Permissions> map) {
+ white = wb;
sandbox = map;
}
@@ -86,7 +103,7 @@ public final class JexlSandbox {
for (Map.Entry<String, Permissions> entry : sandbox.entrySet()) {
map.put(entry.getKey(), entry.getValue().copy());
}
- return new JexlSandbox(map);
+ return new JexlSandbox(white, map);
}
/**
@@ -110,7 +127,7 @@ public final class JexlSandbox {
public String read(String clazz, String name) {
Permissions permissions = sandbox.get(clazz);
if (permissions == null) {
- return name;
+ return white? name : null;
} else {
return permissions.read().get(name);
}
@@ -137,7 +154,7 @@ public final class JexlSandbox {
public String write(String clazz, String name) {
Permissions permissions = sandbox.get(clazz);
if (permissions == null) {
- return name;
+ return white ? name : null;
} else {
return permissions.write().get(name);
}
@@ -164,7 +181,7 @@ public final class JexlSandbox {
public String execute(String clazz, String name) {
Permissions permissions = sandbox.get(clazz);
if (permissions == null) {
- return name;
+ return white ? name : null;
} else {
return permissions.execute().get(name);
}
@@ -304,7 +321,7 @@ public final class JexlSandbox {
/** The controlled readable properties. */
private final Names read;
- /** The controlled writeable properties. */
+ /** The controlled writable properties. */
private final Names write;
/** The controlled methods. */
@@ -357,7 +374,7 @@ public final class JexlSandbox {
}
/**
- * Adds a list of writeable property names to these permissions.
+ * Adds a list of writable property names to these permissions.
*
* @param pnames the property names
* @return this instance of permissions
@@ -393,7 +410,7 @@ public final class JexlSandbox {
}
/**
- * Gets the set of writeable property names in these permissions.
+ * Gets the set of writable property names in these permissions.
*
* @return the set of property names
*/
@@ -420,7 +437,7 @@ public final class JexlSandbox {
*
* @param clazz the class for which these permissions apply
* @param readFlag whether the readable property list is white - true - or black - false -
- * @param writeFlag whether the writeable property list is white - true - or black - false -
+ * @param writeFlag whether the writable property list is white - true - or black - false -
* @param executeFlag whether the executable method list is white white - true - or black - false -
* @return the set of permissions
*/
Modified: commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java
URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java?rev=1764408&r1=1764407&r2=1764408&view=diff
==============================================================================
--- commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java (original)
+++ commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java Wed Oct 12 09:06:49 2016
@@ -40,7 +40,13 @@ public class SandboxTest extends JexlTes
public SandboxTest() {
super("SandboxTest");
- JEXL.setClassLoader(getClass().getClassLoader());
+ }
+
+
+ public static class CantSeeMe {
+ public boolean doIt() {
+ return false;
+ }
}
@NoJexl
@@ -88,6 +94,10 @@ public class SandboxTest extends JexlTes
public String Quux() {
return name + "-quux";
}
+
+ public int doIt() {
+ return 42;
+ }
@NoJexl
public String cantCallMe() {
@@ -195,6 +205,30 @@ public class SandboxTest extends JexlTes
LOGGER.info(xvar.toString());
}
}
+
+ @Test
+ public void testCantSeeMe() throws Exception {
+ JexlContext jc = new MapContext();
+ String expr = "foo.doIt()";
+ JexlScript script;
+ Object result = null;
+
+ JexlSandbox sandbox = new JexlSandbox(false);
+ sandbox.white(Foo.class.getName());
+ JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).strict(true).create();
+
+ jc.set("foo", new CantSeeMe());
+ script = sjexl.createScript(expr);
+ try {
+ result = script.execute(jc);
+ Assert.fail("should have failed, doIt()");
+ } catch (JexlException xany) {
+ //
+ }
+ jc.set("foo", new Foo("42"));
+ result = script.execute(jc);
+ Assert.assertEquals(42, ((Integer) result).intValue());
+ }
@Test
public void testCtorWhite() throws Exception {