You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Henri Biestro (Jira)" <ji...@apache.org> on 2021/06/07 13:15:07 UTC

[jira] [Closed] (JEXL-291) Using sandbox prevents array-syntax lookup by number in Map

     [ https://issues.apache.org/jira/browse/JEXL-291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Henri Biestro closed JEXL-291.
------------------------------

> Using sandbox prevents array-syntax lookup by number in Map
> -----------------------------------------------------------
>
>                 Key: JEXL-291
>                 URL: https://issues.apache.org/jira/browse/JEXL-291
>             Project: Commons JEXL
>          Issue Type: Bug
>    Affects Versions: 3.1
>            Reporter: David Costanzo
>            Assignee: Henri Biestro
>            Priority: Minor
>             Fix For: 3.2
>
>
> Using a JexlSandbox, even if it's a whitebox sandbox that allows everything, makes all array-syntax lookup by integer in a Map fail.  The array lookup syntax for a String key still works.
> For example
> {code:java}
> {'key' : 'value'}.['key']{code}
> can find 'value', but
> {code:java}
> {1 : 'value'}[1]{code}
> evaluates to null, instead of 'value'.
> The problem seems to be that SandboxUberspect converts the property 1 to a String "1" when determining the name of the property and then, when it attempts to look up the value, it uses the String.  The problem exists for getting and setting by array syntax.
>  
> *Steps to Reproduce:*
> This can be seen with a simple program:
>  
> {code:java}
> public class Main {
>     public static void main(String[] arguments) {
>         JexlEngine simpleJexlEngine = new JexlBuilder().create();
>         JexlExpression simpleExpression = simpleJexlEngine.createExpression(
>            "{1:'one'}[1]");
>         Object value = simpleExpression.evaluate(new MapContext());
>         assert "one".equals(value);
>         JexlEngine sandboxedJexlEngine = new JexlBuilder().
>            sandbox(new JexlSandbox(true)). // add a whitebox sandbox
>            create();
>         JexlExpression sandboxedExpression =
>            sandboxedJexlEngine.createExpression(
>               "{1:'one'}[1]");
>         Object sandboxedValue = sandboxedExpression.evaluate(new MapContext());
>         assert "one".equals(sandboxedValue); // <--- fails
>     }
> }{code}
>  
>  
> *Work-around*
> As the Java developer, I was able to work around this problem by creating a custom Uberspect that's a copy of SandboxUberspect, but has a different implementation for getPropertySet() and getPropertyGet().  Instead of passing in "actual" to uberspect.getPropertySet() and uberspect.getPropertyGet() (which has been converted to a String), it passes in "identifier", which is the original object.  I don't understand the JEXL internals well enough to know if this is correct, though.
> As a JEXL programmer, I could only work around this by calling "get" and "put" on the Map object, instead of using the array syntax.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)