This is an automated email from the ASF dual-hosted git repository. henrib pushed a commit to branch JEXL-450 in repository https://gitbox.apache.org/repos/asf/commons-jexl.git
commit a2b1001b2b109457db27365c631a3c5cc729cb0f Author: Henrib <[email protected]> AuthorDate: Fri Nov 14 20:38:48 2025 +0100 JEXL-450: disable instantiation of internal classes in RESTRICTED mode; --- RELEASE-NOTES.txt | 3 +- src/changes/changes.xml | 11 ++++-- .../jexl3/introspection/JexlPermissions.java | 5 ++- .../org/apache/commons/jexl3/Issues400Test.java | 43 +++++++++++++++++++++- 4 files changed, 54 insertions(+), 8 deletions(-) diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt index 02fb794e..00f70e85 100644 --- a/RELEASE-NOTES.txt +++ b/RELEASE-NOTES.txt @@ -53,8 +53,9 @@ Have fun! ------------------------------------------------------------------------------ + Apache Commons JEXL - Version 3.5.0 + Version 3.6.0 Release Notes diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 9c4ba4d9..2ce12fbd 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -9,7 +9,7 @@ * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * -* https://www.apache.org/licenses/LICENSE-2.0 +* http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -29,6 +29,9 @@ <body> <release version="3.6.1" date="YYYY-MM-DD" description="This is a feature and maintenance release. Java 8 or later is required."> <!-- FIX --> + <action dev="henrib" type="fix" issue="JEXL-449" due-to="William Price"> + Inconsistency on nature of curly-bracket syntactic elements wrt annotations + </action> <!-- ADD --> <!-- UPDATE --> </release> @@ -73,7 +76,7 @@ </release> <release version="3.5.0" date="2025-04-11" description="This is a feature and maintenance release. Java 8 or later is required."> - <!-- FIX --> + <!-- FIX --> <action dev="henrib" type="fix" issue="JEXL-436" due-to="Vincent Bussol"> The increment (decrement) operator does not check for null operand </action> @@ -102,7 +105,7 @@ Replace NumberParser use of Locale.ENGLISH with Locale.ROOT. </action> <action type="fix" dev="ggregory" due-to="Gary Gregory">Pick up maven-antrun-plugin version from parent POM org.apache:apache.</action> - <!-- ADD --> + <!-- ADD --> <action dev="henrib" type="add" issue="JEXL-438" due-to="Yair Lenga"> Allow parser factory specification. </action> @@ -124,7 +127,7 @@ <action type="update" dev="ggregory">Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.23 to 1.24 #266.</action> <action type="update" dev="ggregory">Bump org.apache.commons:commons-lang3 from 3.14.0 to 3.17.0 #270, #274, #283.</action> <action type="update" dev="ggregory" due-to="Dependabot, Gary Gregory">Bump org.ow2.asm:asm from 9.7 to 9.7.1 #294.</action> - <action type="update" dev="ggregory" due-to="Dependabot, Gary Gregory">Bump com.google.code.gson:gson from 2.11.0 to 2.13.1 #321, #342.</action> + <action type="update" dev="ggregory" due-to="Dependabot, Gary Gregory">Bump com.google.code.gson:gson from 2.11.0 to 2.13.0 #321.</action> </release> <release version="3.4.0" date="2024-06-02" description="Java 8 is required."> <!-- ADD --> diff --git a/src/main/java/org/apache/commons/jexl3/introspection/JexlPermissions.java b/src/main/java/org/apache/commons/jexl3/introspection/JexlPermissions.java index 50b4afe2..37a7562f 100644 --- a/src/main/java/org/apache/commons/jexl3/introspection/JexlPermissions.java +++ b/src/main/java/org/apache/commons/jexl3/introspection/JexlPermissions.java @@ -64,7 +64,6 @@ import org.apache.commons.jexl3.internal.introspection.PermissionsParser; * @since 3.3 */ public interface JexlPermissions { - /** * A permission delegation that augments the RESTRICTED permission with an explicit * set of classes. @@ -226,7 +225,9 @@ public interface JexlPermissions { "org.w3c.dom.*", "org.apache.commons.jexl3.*", "org.apache.commons.jexl3 { JexlBuilder {} }", - "org.apache.commons.jexl3.internal { Engine {} }", + "org.apache.commons.jexl3.introspection { JexlPermissions {} JexlPermissions$ClassPermissions {} }", + "org.apache.commons.jexl3.internal { Engine {} Engine32 {} TemplateEngine {} }", + "org.apache.commons.jexl3.internal.introspection { Uberspect {} Introspector {} }", "java.lang { Runtime{} System{} ProcessBuilder{} Process{}" + " RuntimePermission{} SecurityManager{}" + " Thread{} ThreadGroup{} Class{} }", diff --git a/src/test/java/org/apache/commons/jexl3/Issues400Test.java b/src/test/java/org/apache/commons/jexl3/Issues400Test.java index daf801eb..b992d94a 100644 --- a/src/test/java/org/apache/commons/jexl3/Issues400Test.java +++ b/src/test/java/org/apache/commons/jexl3/Issues400Test.java @@ -6,7 +6,7 @@ * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * - * https://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -17,6 +17,7 @@ package org.apache.commons.jexl3; import static org.apache.commons.jexl3.introspection.JexlPermissions.RESTRICTED; +import static org.apache.commons.jexl3.introspection.JexlPermissions.UNRESTRICTED; import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -42,6 +43,7 @@ import java.util.concurrent.atomic.AtomicLong; import org.apache.commons.jexl3.internal.Debugger; import org.apache.commons.jexl3.internal.Scope; +import org.apache.commons.jexl3.internal.introspection.Uberspect; import org.apache.commons.jexl3.introspection.JexlPermissions; import org.apache.commons.jexl3.parser.ASTJexlScript; import org.apache.commons.jexl3.parser.JexlScriptParser; @@ -817,5 +819,44 @@ public class Issues400Test { } } + public static class BrkContext extends MapContext { + public BrkContext() { + super(); + set("SYSTEM", System.class); + set("UNRESTRICTED", UNRESTRICTED); + } + + public static Object brk(Object debug) { + return debug; + } + + } + + @Test + void test450() { + for (JexlPermissions perm : new JexlPermissions[]{JexlPermissions.RESTRICTED, JexlPermissions.UNRESTRICTED}) { + JexlEngine jexl = new JexlBuilder().permissions(perm).create(); + JexlScript e = getExpression450(jexl); + try { + e.execute(null); + fail("should not be able to access System class with " + perm); + } catch (JexlException xjexl) { + assertNotNull(xjexl); + } + } + } + + private static JexlScript getExpression450(JexlEngine jexl) { + return jexl.createScript("new('org.apache.commons.jexl3.internal.TemplateEngine'," + + "new('org.apache.commons.jexl3.internal.Engine32'),false,256,'{'.charAt(0),'#'.charAt(0))" + + ".createExpression(" + + "\"#{x = new ('org.apache.commons.jexl3.internal.introspection.Uberspect', null, null, UNRESTRICTED);" + + "sys = x.getClassLoader().loadClass('java.lang.System') ?: SYSTEM;" + // fail to load System + "p = new('org.apache.commons.jexl3.introspection.JexlPermissions$ClassPermissions', [sys]);" + + "c = new('org.apache.commons.jexl3.internal.introspection.Uberspect', null, null, p);" + + "z = c.getMethod(sys,'currentTimeMillis').invoke(x,null);}\")" + + ".evaluate(new('org.apache.commons.jexl3.Issues400Test$BrkContext'))"); + } + }
