You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by he...@apache.org on 2022/11/09 06:08:12 UTC
[commons-jexl] branch master updated: JEXL-386: fix sandbox permissions inheritance;
This is an automated email from the ASF dual-hosted git repository.
henrib pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-jexl.git
The following commit(s) were added to refs/heads/master by this push:
new d73a3c13 JEXL-386: fix sandbox permissions inheritance;
d73a3c13 is described below
commit d73a3c130494f5ce9dafdb2644a98d1bc9abd7dc
Author: henrib <he...@apache.org>
AuthorDate: Wed Nov 9 07:08:06 2022 +0100
JEXL-386: fix sandbox permissions inheritance;
---
.../commons/jexl3/introspection/JexlSandbox.java | 16 +++--
.../commons/jexl3/introspection/SandboxTest.java | 68 +++++++++++++++++++++-
2 files changed, 78 insertions(+), 6 deletions(-)
diff --git a/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java b/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java
index 62d521cb..1bdadfbb 100644
--- a/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java
+++ b/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java
@@ -648,8 +648,12 @@ public final class JexlSandbox {
// find first inherited interface that defines permissions
for (final Class<?> inter : clazz.getInterfaces()) {
permissions = sandbox.get(inter.getName());
- if (permissions != null && permissions.isInheritable()) {
- break;
+ if (permissions != null) {
+ if (permissions.isInheritable()) {
+ break;
+ } else {
+ permissions = null;
+ }
}
}
// nothing defined yet, find first superclass that defines permissions
@@ -659,8 +663,12 @@ public final class JexlSandbox {
// walk all superclasses
while (zuper != null) {
permissions = sandbox.get(zuper.getName());
- if (permissions != null && permissions.isInheritable()) {
- break;
+ if (permissions != null) {
+ if (permissions.isInheritable()) {
+ break;
+ } else {
+ permissions = null;
+ }
}
zuper = zuper.getSuperclass();
}
diff --git a/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java b/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java
index 0a3fda12..6b634b40 100644
--- a/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java
+++ b/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java
@@ -18,7 +18,6 @@ package org.apache.commons.jexl3.introspection;
import java.util.ArrayList;
import java.util.Arrays;
-import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -33,7 +32,6 @@ import org.apache.commons.jexl3.JexlTestCase;
import org.apache.commons.jexl3.MapContext;
import org.apache.commons.jexl3.annotations.NoJexl;
-import org.apache.commons.jexl3.internal.introspection.Permissions;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -465,7 +463,73 @@ public class SandboxTest extends JexlTestCase {
LOGGER.debug(xjm.toString());
}
}
+ public interface SomeInterface {
+ int bar();
+ }
+
+ public static class Foo386 implements SomeInterface {
+ @Override
+ public int bar() {
+ return 42;
+ }
+ }
+ public static class Quux386 extends Foo386 {
+ @Override
+ public int bar() {
+ return -42;
+ }
+ }
+ @Test
+ public void testInheritedPermission0() {
+ final Foo386 foo = new Foo386();
+ final JexlSandbox sandbox = new JexlSandbox(false, true);
+ sandbox.permissions(SomeInterface.class.getName(), true, true, true, true);
+ final JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).safe(false).strict(true).create();
+ final JexlScript someOp = sjexl.createScript("foo.bar()", "foo");
+ Assert.assertEquals(42, someOp.execute(null, foo));
+ }
+ @Test
+ public void testNonInheritedPermission0() {
+ final Foo386 foo = new Foo386();
+ final JexlSandbox sandbox = new JexlSandbox(false, true);
+ sandbox.permissions(SomeInterface.class.getName(), false, true, true, true);
+ final JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).safe(false).strict(true).create();
+ final JexlScript someOp = sjexl.createScript("foo.bar()", "foo");
+
+ try {
+ someOp.execute(null, foo);
+ Assert.fail("should not be possible");
+ } catch (final JexlException e) {
+ // ok
+ LOGGER.debug(e.toString());
+ }
+ }
+ @Test
+ public void testInheritedPermission1() {
+ final Quux386 foo = new Quux386();
+ final JexlSandbox sandbox = new JexlSandbox(false, true);
+ sandbox.permissions(Foo386.class.getName(), true, true, true, true);
+ final JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).safe(false).strict(true).create();
+ final JexlScript someOp = sjexl.createScript("foo.bar()", "foo");
+ Assert.assertEquals(-42, someOp.execute(null, foo));
+ }
+ @Test
+ public void testNonInheritedPermission1() {
+ final Quux386 foo = new Quux386();
+ final JexlSandbox sandbox = new JexlSandbox(false, true);
+ sandbox.permissions(Foo386.class.getName(), false, true, true, true);
+ final JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).safe(false).strict(true).create();
+ final JexlScript someOp = sjexl.createScript("foo.bar()", "foo");
+
+ try {
+ someOp.execute(null, foo);
+ Assert.fail("should not be possible");
+ } catch (final JexlException e) {
+ // ok
+ LOGGER.debug(e.toString());
+ }
+ }
public static class Foo42 {
public int getFoo() {
return 42;