This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.8
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.8 by this push:
new 86d0fb628 RANGER-5324: replace iterations with streams in
RangerRequestScriptEvaluator - #2
86d0fb628 is described below
commit 86d0fb62822925c81762d584ec1c41160708300d
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Sun Oct 5 02:12:41 2025 -0700
RANGER-5324: replace iterations with streams in
RangerRequestScriptEvaluator - #2
(cherry picked from commit dd8b8c6d82997a45b18f3ebeff7002bb3906abd7)
---
.../policyengine/RangerRequestScriptEvaluator.java | 2 +-
.../RangerRequestScriptEvaluatorTest.java | 24 +++++++++++-----------
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
index f94df27e6..ee2df197b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
@@ -160,7 +160,7 @@ public final class RangerRequestScriptEvaluator {
private static final String DEFAULT_RANGER_TAG_ATTRIBUTE_DATE_FORMAT
= "yyyy/MM/dd";
private static final String DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT_NAME
= "ATLAS_DATE_FORMAT";
private static final String DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT
= "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
- private static final String SCRIPT_SAFE_PREEXEC
=
"Object.defineProperty(this,'engine',{value:null,writable:false});exit=null;quit=null;";
+ private static final String SCRIPT_SAFE_PREEXEC
=
"Object.defineProperty(this,'engine',{value:null,writable:false});Object.defineProperty(this,'context',{value:null,writable:false});Object.defineProperty(this,'__noSuchProperty__',{value:null,writable:false});Object.defineProperty(this,'loadWithNewGlobal',{value:null,writable:false});exit=null;quit=null;";
private static final String SCRIPT_PREEXEC
= SCRIPT_VAR__CTX + "=JSON.parse(" + SCRIPT_VAR__CTX_JSON + ");
J=JSON.stringify;" +
SCRIPT_VAR_REQ + "=" + SCRIPT_VAR__CTX + "." +
SCRIPT_FIELD_REQUEST + ";" +
SCRIPT_VAR_RES + "=" + SCRIPT_VAR_REQ + "." +
SCRIPT_FIELD_RESOURCE + ";" +
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
index 35e32496c..ed329e2ec 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
@@ -431,23 +431,23 @@ public void testBlockJavaClassReferences() {
RangerAccessRequest request = createRequest("test-user",
Collections.emptySet(), Collections.emptySet(), Collections.emptyList());
RangerRequestScriptEvaluator evaluator = new
RangerRequestScriptEvaluator(request, scriptEngine, false);
- Assert.assertNull("test: java.lang.System.out.println(\"test\");",
evaluator.evaluateScript("java.lang.System.out.println(\"test\");"));
- Assert.assertNull("test:
java.lang.Runtime.getRuntime().exec(\"bash\");",
evaluator.evaluateScript("java.lang.Runtime.getRuntime().exec(\"bash\");"));
-
String fileName = "/tmp/ctest1-" + System.currentTimeMillis();
- String script = "var file = new java.io.File('" + fileName + "');
file.createNewFile()";
- Assert.assertNull("test file access using: " + script,
evaluator.evaluateScript(script));
+ String[] scripts = new String[] {
+ "java.lang.System.out.println(\"test\");",
+ "java.lang.Runtime.getRuntime().exec(\"bash\");",
+ "var
newBindings=loadWithNewGlobal({'script':'this','name':'ctest'});this.context.setBindings(newBindings,100);var
newEngine = this.__noSuchProperty__('engine');var
e=newEngine.getFactory().getScriptEngine('-Dnashorn.args=--no-java=False');e.eval('java.lang.Runtime.getRuntime().exec(\"touch
/tmp/ctest1\")')",
+ "engine.eval('malicious code')",
+ "var str = new java.lang.String('test'); str.length()",
+ "var file = new java.io.File('" + fileName + "');
file.createNewFile()",
+ };
+
+ for (String script : scripts) {
+ Assert.assertNull("test: " + script,
evaluator.evaluateScript(script));
+ }
File testFile = new File(fileName);
Assert.assertFalse(fileName + ": file should not have been created",
testFile.exists());
-
- script = "engine.eval('malicious code')";
-
- Assert.assertNull("test engine access using: " + script,
evaluator.evaluateScript(script));
-
- script = "var str = new java.lang.String('test'); str.length()";
- Assert.assertNull("test Java String class access using: " + script,
evaluator.evaluateScript(script));
}
@Test
