This is an automated email from the ASF dual-hosted git repository.
henrib pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-jexl.git
The following commit(s) were added to refs/heads/master by this push:
new 46854b60 JEXL-397: core permissions allow dynamic proxy introspection;
46854b60 is described below
commit 46854b60a75fba8ec96066fae6051e38c6fe1245
Author: Henri Biestro <hbies...@cloudera.com>
AuthorDate: Thu May 4 12:55:58 2023 +0200
JEXL-397: core permissions allow dynamic proxy introspection;
---
.../jexl3/internal/introspection/Permissions.java | 5 +++
.../org/apache/commons/jexl3/Issues300Test.java | 36 ++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git
a/src/main/java/org/apache/commons/jexl3/internal/introspection/Permissions.java
b/src/main/java/org/apache/commons/jexl3/internal/introspection/Permissions.java
index cbf5d987..983f9699 100644
---
a/src/main/java/org/apache/commons/jexl3/internal/introspection/Permissions.java
+++
b/src/main/java/org/apache/commons/jexl3/internal/introspection/Permissions.java
@@ -20,6 +20,7 @@ package org.apache.commons.jexl3.internal.introspection;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
@@ -406,6 +407,10 @@ public class Permissions implements JexlPermissions {
if (!validate(clazz)) {
return false;
}
+ // proxy goes through
+ if (Proxy.isProxyClass(clazz)) {
+ return true;
+ }
// class must be allowed
if (deny(clazz)) {
return false;
diff --git a/src/test/java/org/apache/commons/jexl3/Issues300Test.java
b/src/test/java/org/apache/commons/jexl3/Issues300Test.java
index 34b4d008..b44eb879 100644
--- a/src/test/java/org/apache/commons/jexl3/Issues300Test.java
+++ b/src/test/java/org/apache/commons/jexl3/Issues300Test.java
@@ -18,12 +18,14 @@ package org.apache.commons.jexl3;
import org.apache.commons.jexl3.internal.Engine32;
import org.apache.commons.jexl3.internal.OptionsContext;
+import static
org.apache.commons.jexl3.introspection.JexlPermissions.RESTRICTED;
import org.apache.commons.jexl3.introspection.JexlSandbox;
import org.junit.Assert;
import org.junit.Test;
import java.io.StringReader;
import java.io.StringWriter;
+import java.lang.reflect.Proxy;
import java.math.MathContext;
import java.util.ArrayList;
import java.util.Arrays;
@@ -1284,4 +1286,38 @@ public class Issues300Test {
Assert.assertEquals("foo", x.toString());
}
+ public interface Interface397i {
+ String summary();
+ }
+ static private class Class397 implements Interface397i {
+ @Override public String summary() {
+ return getClass().getName();
+ }
+ }
+ <T> T createProxy(final JexlEngine jexl, final Object o, final Class[]
clazzz) {
+ // a JEX-based delegating proxy
+ return (T) Proxy.newProxyInstance(getClass().getClassLoader(), clazzz,
+ (proxy, method, args) -> jexl.invokeMethod(o, method.getName(),
args)
+ );
+ }
+
+ @Test public void testIssue397() {
+ String result;
+ final String control = Class397.class.getName();
+ final JexlEngine jexl = new
JexlBuilder().permissions(RESTRICTED).create();
+
+ Interface397i instance = new Class397();
+ result = (String) jexl.invokeMethod(instance, "summary");
+ Assert.assertEquals(control, result);
+
+ Interface397i proxy = createProxy(jexl, instance, new Class[] {
Interface397i.class }) ;
+ result = (String) jexl.invokeMethod(proxy, "summary");
+ Assert.assertEquals(control, result);
+
+ JexlScript script = jexl.createScript("dan.summary()", "dan");
+ result = (String) script.execute(null, instance);
+ Assert.assertEquals(control, result);
+ result = (String) script.execute(null, proxy);
+ Assert.assertEquals(control, result);
+ }
}
