You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Jan Klička (Jira)" <ji...@apache.org> on 2022/07/13 06:53:00 UTC

[jira] [Created] (JEXL-375) Cannot access enums by their name when using sandbox

Jan Klička created JEXL-375:
-------------------------------

             Summary: Cannot access enums by their name when using sandbox
                 Key: JEXL-375
                 URL: https://issues.apache.org/jira/browse/JEXL-375
             Project: Commons JEXL
          Issue Type: Bug
    Affects Versions: 3.2.1
         Environment: {code:java}
@Test
public void addressTypeTest() {
    JexlSandbox jexlSandbox = new JexlSandbox(false);
    jexlSandbox.allow(Type.class.getName());

    JexlEngine engine = new JexlBuilder()
            .sandbox(jexlSandbox)
            .create();

    var context = new HashMap<String, Object>();
    context.put("Type", Type.class);

    Type typeValueOf = (Type) engine.createScript(
            "return Type.valueOf('DOMICILE');\n"
    ).execute(new MapContext(context)); // ok
    assertEquals(Type.DOMICILE, typeValueOf);

    Type typeDirect = (Type) engine.createScript(
            "return Type.DOMICILE;\n"
    ).execute(new MapContext(context)); // throws
    assertEquals(Type.DOMICILE, typeDirect);
}

public enum Type {
    DELIVERY_ADDRESS,
    DOMICILE
}
 {code}
            Reporter: Jan Klička


Hello,

 

when using sandbox, accessing enum value via the dot notation fails with an exception `JexlException$Property: JexlTest.addressTypeTest:186 undefined property 'DOMICILE'`.

 

The only workaround I have found was to use the `valueOf` method on the enum.

 

I tried tracking down the cause. I believe the issue lies in `SandboxUberspect.getPropertyGet` on line

`final String actual = sandbox.read(obj.getClass(), property)`

where obj is the class of the enum, and thus the permission gets read for `Class<Object>` (result of `obj.getClass()`) instead of the enum.

 

Contrast this to the code in `Uberspect.getPropertyGet` , where it tries to also resolve against `obj`, not only its superclass.


```

executor = FieldGetExecutor.discover(is, claz, property);
// static class fields (enums included)
if (obj instanceof Class<?>) {
   executor = FieldGetExecutor.discover(is, (Class<?>) obj, property);
}```



--
This message was sent by Atlassian Jira
(v8.20.10#820010)