[
https://issues.apache.org/jira/browse/JEXL-424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xu Pengcheng updated JEXL-424:
------------------------------
Description:
{code:java}
JexlSandbox sandbox = new JexlSandbox(false, true);
sandbox.permissions(Map.class.getName(), true, true, true, true);
...
String jexlCode = "x.foo = 'bar';"
JexlEngine engine =
new Engine(
new JexlBuilder()
.sandbox(sandbox)
.safe(false)
.strict(true));
Map<String, Object> vars = new LinkedHashMap<>();
vars.put("x", new LinkedHashMap<>());
engine.createScript(jexlCode).execute(new MapContext(vars)); {code}
The code is ok with JDK11, but caused an error "undefined property 'foo'" with
JDK21.
I did some debug and found the problem is
JDK11: LinkedHashMap implements Map
JDK21: LinkedHashMap implements SequencedMap extends Map
and from
[JexlSandbox.java#L540|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java#L540]]
{code:java}
for (final Class<?> inter : clazz.getInterfaces()) {
permissions = sandbox.get(inter.getName());
if (permissions != null) {
if (permissions.isInheritable()) {
break;
}
permissions = null;
}
} {code}
sandbox only checks the direct interfaces but not check it's super interface,
but for class permission check, it looks into its parents, is it by design or a
bug?
And also because which checking permission of class, it does not check it's
interface's permission, the result of class is not stable in case parent class
has permission from it's interface.
for example:
{code:java}
interface I{}
static class A implements I{}
static class B extends A{}
@Test
void testPermission() {
JexlSandbox sandbox = new JexlSandbox(false, true);
sandbox.permissions(I.class.getName(), true, true, true, false);
System.out.println("permission A=" + sandbox.get(A.class.getName()).write());
System.out.println("permission B=" + sandbox.get(B.class.getName()).write());
}
{code}
result is
permission
A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
permission
B=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
but if checking B befoer A, the result is
permission B=org.apache.commons.jexl3.introspection.JexlSandbox$2@6c1832aa
permission
A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@47ad69f7
BTW, what is the release date for next version? thanks!
was:
{code:java}
JexlSandbox sandbox = new JexlSandbox(false, true);
sandbox.permissions(Map.class.getName(), true, true, true, true);
...
String jexlCode = "x.foo = 'bar';"
JexlEngine engine =
new Engine(
new JexlBuilder()
.sandbox(sandbox)
.safe(false)
.strict(true));
Map<String, Object> vars = new LinkedHashMap<>();
vars.put("x", new LinkedHashMap<>());
engine.createScript(jexlCode).execute(new MapContext(vars)); {code}
The code is ok with JDK11, but caused an error "undefined property 'foo'" with
JDK21.
I did some debug and found the problem is
JDK11: LinkedHashMap implements Map
JDK21: LinkedHashMap implements SequencedMap extends Map
and from
[JexlSandbox.java#L540|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java#L540]]
{code:java}
for (final Class<?> inter : clazz.getInterfaces()) {
permissions = sandbox.get(inter.getName());
if (permissions != null) {
if (permissions.isInheritable()) {
break;
}
permissions = null;
}
} {code}
sandbox only checks the direct interfaces but not check it's super interface,
but for class permission check, it looks into its parents, is it by design or a
bug?
And also because which checking permission of class, it does not check it's
interface's permission, the result of class is not stable in case parent class
has permission from it's interface.
for example:
{code:java}
interface I{}
static class A implements I{}
static class B extends A{}
@Test
void testPermission() {
JexlSandbox sandbox = new JexlSandbox(false, true);
sandbox.permissions(I.class.getName(), true, true, true, false);
System.out.println("permission A=" + sandbox.get(A.class.getName()).write());
System.out.println("permission B=" + sandbox.get(B.class.getName()).write());
}
{code}
result is
permission
A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
permission
B=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
but if checking B befoer A, the result is
permission B=org.apache.commons.jexl3.introspection.JexlSandbox$2@6c1832aa
permission
A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@47ad69f7
> Permission error after upgraded to JDK 21
> -----------------------------------------
>
> Key: JEXL-424
> URL: https://issues.apache.org/jira/browse/JEXL-424
> Project: Commons JEXL
> Issue Type: Bug
> Affects Versions: 3.3
> Reporter: Xu Pengcheng
> Priority: Major
>
> {code:java}
> JexlSandbox sandbox = new JexlSandbox(false, true);
> sandbox.permissions(Map.class.getName(), true, true, true, true);
> ...
> String jexlCode = "x.foo = 'bar';"
> JexlEngine engine =
> new Engine(
> new JexlBuilder()
> .sandbox(sandbox)
> .safe(false)
> .strict(true));
> Map<String, Object> vars = new LinkedHashMap<>();
> vars.put("x", new LinkedHashMap<>());
> engine.createScript(jexlCode).execute(new MapContext(vars)); {code}
> The code is ok with JDK11, but caused an error "undefined property 'foo'"
> with JDK21.
>
> I did some debug and found the problem is
> JDK11: LinkedHashMap implements Map
> JDK21: LinkedHashMap implements SequencedMap extends Map
> and from
> [JexlSandbox.java#L540|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java#L540]]
> {code:java}
> for (final Class<?> inter : clazz.getInterfaces()) {
> permissions = sandbox.get(inter.getName());
> if (permissions != null) {
> if (permissions.isInheritable()) {
> break;
> }
> permissions = null;
> }
> } {code}
> sandbox only checks the direct interfaces but not check it's super interface,
> but for class permission check, it looks into its parents, is it by design or
> a bug?
>
> And also because which checking permission of class, it does not check it's
> interface's permission, the result of class is not stable in case parent
> class has permission from it's interface.
> for example:
> {code:java}
> interface I{}
> static class A implements I{}
> static class B extends A{}
> @Test
> void testPermission() {
> JexlSandbox sandbox = new JexlSandbox(false, true);
> sandbox.permissions(I.class.getName(), true, true, true, false);
> System.out.println("permission A=" +
> sandbox.get(A.class.getName()).write());
> System.out.println("permission B=" +
> sandbox.get(B.class.getName()).write());
> }
> {code}
> result is
> permission
> A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
> permission
> B=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
> but if checking B befoer A, the result is
> permission B=org.apache.commons.jexl3.introspection.JexlSandbox$2@6c1832aa
> permission
> A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@47ad69f7
>
> BTW, what is the release date for next version? thanks!
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
