(ranger) branch master updated: RANGER-5324: replace iterations with streams in RangerRequestScriptEvaluator - #2

madhan Fri, 17 Oct 2025 22:11:01 -0700

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git



The following commit(s) were added to refs/heads/master by this push:
     new dd8b8c6d8 RANGER-5324: replace iterations with streams in 
RangerRequestScriptEvaluator - #2
dd8b8c6d8 is described below

commit dd8b8c6d82997a45b18f3ebeff7002bb3906abd7
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Sun Oct 5 02:12:41 2025 -0700

    RANGER-5324: replace iterations with streams in 
RangerRequestScriptEvaluator - #2
---
 .../policyengine/RangerRequestScriptEvaluator.java |  2 +-
 .../RangerRequestScriptEvaluatorTest.java          | 24 +++++++++++-----------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
index f94df27e6..ee2df197b 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
@@ -160,7 +160,7 @@ public final class RangerRequestScriptEvaluator {
     private static final String  DEFAULT_RANGER_TAG_ATTRIBUTE_DATE_FORMAT     
= "yyyy/MM/dd";
     private static final String  DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT_NAME 
= "ATLAS_DATE_FORMAT";
     private static final String  DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT      
= "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
-    private static final String  SCRIPT_SAFE_PREEXEC                          
= 
"Object.defineProperty(this,'engine',{value:null,writable:false});exit=null;quit=null;";
+    private static final String  SCRIPT_SAFE_PREEXEC                          
= 
"Object.defineProperty(this,'engine',{value:null,writable:false});Object.defineProperty(this,'context',{value:null,writable:false});Object.defineProperty(this,'__noSuchProperty__',{value:null,writable:false});Object.defineProperty(this,'loadWithNewGlobal',{value:null,writable:false});exit=null;quit=null;";
     private static final String  SCRIPT_PREEXEC                               
= SCRIPT_VAR__CTX + "=JSON.parse(" + SCRIPT_VAR__CTX_JSON + "); 
J=JSON.stringify;" +
             SCRIPT_VAR_REQ + "=" + SCRIPT_VAR__CTX + "." + 
SCRIPT_FIELD_REQUEST + ";" +
             SCRIPT_VAR_RES + "=" + SCRIPT_VAR_REQ + "." + 
SCRIPT_FIELD_RESOURCE + ";" +
diff --git 
a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
 
b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
index 35e32496c..ed329e2ec 100644
--- 
a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
+++ 
b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
@@ -431,23 +431,23 @@ public void testBlockJavaClassReferences() {
         RangerAccessRequest          request   = createRequest("test-user", 
Collections.emptySet(), Collections.emptySet(), Collections.emptyList());
         RangerRequestScriptEvaluator evaluator = new 
RangerRequestScriptEvaluator(request, scriptEngine, false);
 
-        Assert.assertNull("test: java.lang.System.out.println(\"test\");", 
evaluator.evaluateScript("java.lang.System.out.println(\"test\");"));
-        Assert.assertNull("test: 
java.lang.Runtime.getRuntime().exec(\"bash\");", 
evaluator.evaluateScript("java.lang.Runtime.getRuntime().exec(\"bash\");"));
-
         String fileName = "/tmp/ctest1-" + System.currentTimeMillis();
-        String script   = "var file = new java.io.File('" + fileName +  "'); 
file.createNewFile()";
 
-        Assert.assertNull("test file access using: " + script, 
evaluator.evaluateScript(script));
+        String[] scripts = new String[] {
+                "java.lang.System.out.println(\"test\");",
+                "java.lang.Runtime.getRuntime().exec(\"bash\");",
+                "var 
newBindings=loadWithNewGlobal({'script':'this','name':'ctest'});this.context.setBindings(newBindings,100);var
 newEngine = this.__noSuchProperty__('engine');var 
e=newEngine.getFactory().getScriptEngine('-Dnashorn.args=--no-java=False');e.eval('java.lang.Runtime.getRuntime().exec(\"touch
 /tmp/ctest1\")')",
+                "engine.eval('malicious code')",
+                "var str = new java.lang.String('test'); str.length()",
+                "var file = new java.io.File('" + fileName +  "'); 
file.createNewFile()",
+        };
+
+        for (String script : scripts) {
+            Assert.assertNull("test: " + script, 
evaluator.evaluateScript(script));
+        }
 
         File testFile = new File(fileName);
         Assert.assertFalse(fileName + ": file should not have been created", 
testFile.exists());
-
-        script = "engine.eval('malicious code')";
-
-        Assert.assertNull("test engine access using: " + script, 
evaluator.evaluateScript(script));
-
-        script = "var str = new java.lang.String('test'); str.length()";
-        Assert.assertNull("test Java String class access using: " + script, 
evaluator.evaluateScript(script));
     }
 
     @Test

(ranger) branch master updated: RANGER-5324: replace iterations with streams in RangerRequestScriptEvaluator - #2

Reply via email to