[
https://issues.apache.org/jira/browse/JEXL-424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Henri Biestro resolved JEXL-424.
--------------------------------
Resolution: Fixed
Code was indeed dependent on permission lookup order since it was only checking
the permission cache; fix is to compute permission fully on a 'get' (if not
cached).
That being said, the new framework
org.apache.commons.jexl3.introspection.JexlPermissions is now the preferred way
to secure applications and restrict class/method/fields visibility.
Commit
[78b3dd9|https://github.com/apache/commons-jexl/commit/78b3dd90f07d86531c8c99f6f9b5bea00bea8205]
> Permission error after upgraded to JDK 21
> -----------------------------------------
>
> Key: JEXL-424
> URL: https://issues.apache.org/jira/browse/JEXL-424
> Project: Commons JEXL
> Issue Type: Bug
> Affects Versions: 3.3
> Reporter: Xu Pengcheng
> Assignee: Henri Biestro
> Priority: Major
> Fix For: 3.4.1
>
>
> {code:java}
> JexlSandbox sandbox = new JexlSandbox(false, true);
> sandbox.permissions(Map.class.getName(), true, true, true, true);
> ...
> String jexlCode = "x.foo = 'bar';"
> JexlEngine engine =
> new Engine(
> new JexlBuilder()
> .sandbox(sandbox)
> .safe(false)
> .strict(true));
> Map<String, Object> vars = new LinkedHashMap<>();
> vars.put("x", new LinkedHashMap<>());
> engine.createScript(jexlCode).execute(new MapContext(vars)); {code}
> The code is ok with JDK11, but caused an error "undefined property 'foo'"
> with JDK21.
>
> I did some debug and found the problem is
> JDK11: LinkedHashMap implements Map
> JDK21: LinkedHashMap implements SequencedMap extends Map
> and from
> [JexlSandbox.java#L540|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java#L540]]
> {code:java}
> for (final Class<?> inter : clazz.getInterfaces()) {
> permissions = sandbox.get(inter.getName());
> if (permissions != null) {
> if (permissions.isInheritable()) {
> break;
> }
> permissions = null;
> }
> } {code}
> sandbox only checks the direct interfaces but not check it's super interface,
> but for class permission check, it looks into its parents, is it by design or
> a bug?
>
> And also because which checking permission of class, it does not check it's
> interface's permission, the result of class is not stable in case parent
> class has permission from it's interface.
> for example:
> {code:java}
> interface I{}
> static class A implements I{}
> static class B extends A{}
> @Test
> void testPermission() {
> JexlSandbox sandbox = new JexlSandbox(false, true);
> sandbox.permissions(I.class.getName(), true, true, true, false);
> System.out.println("permission A=" +
> sandbox.get(A.class.getName()).write());
> System.out.println("permission B=" +
> sandbox.get(B.class.getName()).write());
> }
> {code}
> result is
> permission
> A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
> permission
> B=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
> but if checking B befoer A, the result is
> permission B=org.apache.commons.jexl3.introspection.JexlSandbox$2@6c1832aa
> permission
> A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@47ad69f7
>
> Maybe we need to travel the whole inheritance tree and also need a merge
> policy for multiple permission definitions?
>
> BTW, what is the release date for next version? thanks!
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
