Author: henrib Date: Thu Nov 3 10:03:47 2011 New Revision: 1197040 URL: http://svn.apache.org/viewvc?rev=1197040&view=rev Log: Updated changes and release notes; Added a sandbox test (protect call to System, etc)
Modified: commons/proper/jexl/trunk/RELEASE-NOTES.txt commons/proper/jexl/trunk/src/site/xdoc/changes.xml commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java Modified: commons/proper/jexl/trunk/RELEASE-NOTES.txt URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/RELEASE-NOTES.txt?rev=1197040&r1=1197039&r2=1197040&view=diff ============================================================================== --- commons/proper/jexl/trunk/RELEASE-NOTES.txt (original) +++ commons/proper/jexl/trunk/RELEASE-NOTES.txt Thu Nov 3 10:03:47 2011 @@ -41,9 +41,10 @@ What's new in 2.1: * A more thorough arithmetic (JexlArithmetic) that allows fine control over decimals (scale and precision), a new syntax for numeric literals (OGNL inspired Big and Huge notations) and a better type handling keeping the most appropriate representation in casual operations. -* The introduction of script variables and parameters that reduce context dependencies and methods that allow some - checks performed after script creation (light static checking hints). Plus the ability to call script from scripts. +* The introduction of script variables and parameters that reduce context dependencies and methods; this allows to + perform checks after script creation (light static checking hints). Plus the ability to call script from scripts. * A sandoxing feature to restrict and rename what JEXL can access from the environment allowing tighter control over security. +* Extensions to UnifiedJEXL that allow the creation of templates. New features in 2.1: ==================== @@ -52,6 +53,8 @@ New features in 2.1: * JEXL-118: Provide an IN operator * JEXL-115: Add support for asynchronous script execution and cancellation * JEXL-116: Add control over classes, methods, constructors and properties allowed in scripts +* JEXL-120: Add simple template features +* JEXL-119: Allow indexed properties container resolution in expressions * JEXL-106: When divide two BigDecimal values in an expression it results in java.lang.ArithmeticException * JEXL-102: Add "jexl2" as a supported name Modified: commons/proper/jexl/trunk/src/site/xdoc/changes.xml URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/src/site/xdoc/changes.xml?rev=1197040&r1=1197039&r2=1197040&view=diff ============================================================================== --- commons/proper/jexl/trunk/src/site/xdoc/changes.xml (original) +++ commons/proper/jexl/trunk/src/site/xdoc/changes.xml Thu Nov 3 10:03:47 2011 @@ -26,6 +26,12 @@ </properties> <body> <release version="2.1" date="unreleased"> + <action dev="henrib" type="add" issue="JEXL-121"> + Add simple template features + </action> + <action dev="henrib" type="fix" issue="JEXL-120" due-to="Lukas Krecan"> + Make ParseException work in sandboxed environment + </action> <action dev="henrib" type="add" issue="JEXL-119"> Allow indexed properties container resolution in expressions </action> Modified: commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java?rev=1197040&r1=1197039&r2=1197040&view=diff ============================================================================== --- commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java (original) +++ commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java Thu Nov 3 10:03:47 2011 @@ -193,7 +193,7 @@ public class SandboxTest extends JexlTes script = sjexl.createScript(expr, "foo"); result = script.execute(null, foo); assertEquals(foo.alias, result); - + script = sjexl.createScript("foo.ALIAS", "foo"); result = script.execute(null, foo); assertEquals(foo.alias, result); @@ -216,4 +216,43 @@ public class SandboxTest extends JexlTes assertEquals("43", result); assertEquals("43", foo.alias); } + + public void testRestrict() throws Exception { + JexlContext context = new MapContext(); + context.set("System", System.class); + Sandbox sandbox = new Sandbox(); + // only allow call to currentTimeMillis (avoid exit, gc, loadLibrary, etc) + sandbox.white(System.class.getName()).execute("currentTimeMillis"); + // can not create a new file + sandbox.black(java.io.File.class.getName()).execute(""); + + Uberspect uber = new SandboxUberspectImpl(null, sandbox); + JexlEngine sjexl = new JexlEngine(uber, null, null, null); + sjexl.setStrict(true); + + String expr; + Script script; + Object result; + + script = sjexl.createScript("System.exit()"); + try { + result = script.execute(context); + fail("should not allow calling exit!"); + } catch (JexlException xjexl) { + LOGGER.info(xjexl.toString()); + } + + script = sjexl.createScript("new('java.io.File', '/tmp/should-not-be-created')"); + try { + result = script.execute(context); + fail("should not allow creating a file"); + } catch (JexlException xjexl) { + LOGGER.info(xjexl.toString()); + } + + expr = "System.currentTimeMillis()"; + script = sjexl.createScript("System.currentTimeMillis()"); + result = script.execute(context); + assertNotNull(result); + } }