You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "garydgregory (via GitHub)" <gi...@apache.org> on 2023/09/28 11:52:39 UTC

[GitHub] [commons-scxml] garydgregory commented on a diff in pull request #154: [feature] set up allowed class-permissions to JEXL constructor

garydgregory commented on code in PR #154:
URL: https://github.com/apache/commons-scxml/pull/154#discussion_r1339999687


##########
src/main/java/org/apache/commons/scxml2/env/jexl/JexlEvaluator.java:
##########
@@ -185,7 +195,13 @@ protected JexlEngine createJexlEngine() {
         // See javadoc of org.apache.commons.jexl2.JexlEngine#setFunctions(Map<String,Object> funcs) for detail.
         final Map<String, Object> funcs = new HashMap<>();
         funcs.put(null, JexlBuiltin.class);
+
         JexlPermissions permissions = JexlPermissions.RESTRICTED.compose("org.apache.commons.scxml2.*");
+
+        if(customAllowedClasses != null && customAllowedClasses.length > 0) {

Review Comment:
   Fix formatting. 



##########
src/main/java/org/apache/commons/scxml2/env/jexl/JexlEvaluator.java:
##########
@@ -74,11 +74,21 @@ public Evaluator getEvaluator(final SCXML document) {
     /** The internal JexlEngine instance to use. */
     private transient volatile JexlEngine jexlEngine;
 
+    /** Optional: saves user defined packages, which JEXL should allow for evaluation */
+    private String[] customAllowedClasses;
+
     /** Constructor. */
     public JexlEvaluator() {
         jexlEngine = getJexlEngine();
     }
 
+    /** Constructor with further allowed classes or packages. Use an asterix for all classes in a package */
+    public JexlEvaluator(String... customAllowedClasses) {

Review Comment:
   I think we should use the builder pattern instead of adding public constructors.



##########
src/test/java/com/custom/Payload.java:
##########
@@ -0,0 +1,20 @@
+package com.custom;

Review Comment:
   Missing Apache License header.



##########
src/main/java/org/apache/commons/scxml2/env/jexl/JexlEvaluator.java:
##########
@@ -185,7 +195,13 @@ protected JexlEngine createJexlEngine() {
         // See javadoc of org.apache.commons.jexl2.JexlEngine#setFunctions(Map<String,Object> funcs) for detail.
         final Map<String, Object> funcs = new HashMap<>();
         funcs.put(null, JexlBuiltin.class);
+
         JexlPermissions permissions = JexlPermissions.RESTRICTED.compose("org.apache.commons.scxml2.*");
+
+        if(customAllowedClasses != null && customAllowedClasses.length > 0) {

Review Comment:
   Formatting 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org