This is an automated email from the ASF dual-hosted git repository. henrib pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-jexl.git
The following commit(s) were added to refs/heads/master by this push: new d73a3c13 JEXL-386: fix sandbox permissions inheritance; d73a3c13 is described below commit d73a3c130494f5ce9dafdb2644a98d1bc9abd7dc Author: henrib <hen...@apache.org> AuthorDate: Wed Nov 9 07:08:06 2022 +0100 JEXL-386: fix sandbox permissions inheritance; --- .../commons/jexl3/introspection/JexlSandbox.java | 16 +++-- .../commons/jexl3/introspection/SandboxTest.java | 68 +++++++++++++++++++++- 2 files changed, 78 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java b/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java index 62d521cb..1bdadfbb 100644 --- a/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java +++ b/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java @@ -648,8 +648,12 @@ public final class JexlSandbox { // find first inherited interface that defines permissions for (final Class<?> inter : clazz.getInterfaces()) { permissions = sandbox.get(inter.getName()); - if (permissions != null && permissions.isInheritable()) { - break; + if (permissions != null) { + if (permissions.isInheritable()) { + break; + } else { + permissions = null; + } } } // nothing defined yet, find first superclass that defines permissions @@ -659,8 +663,12 @@ public final class JexlSandbox { // walk all superclasses while (zuper != null) { permissions = sandbox.get(zuper.getName()); - if (permissions != null && permissions.isInheritable()) { - break; + if (permissions != null) { + if (permissions.isInheritable()) { + break; + } else { + permissions = null; + } } zuper = zuper.getSuperclass(); } diff --git a/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java b/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java index 0a3fda12..6b634b40 100644 --- a/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java +++ b/src/test/java/org/apache/commons/jexl3/introspection/SandboxTest.java @@ -18,7 +18,6 @@ package org.apache.commons.jexl3.introspection; import java.util.ArrayList; import java.util.Arrays; -import java.util.HashMap; import java.util.List; import java.util.Map; @@ -33,7 +32,6 @@ import org.apache.commons.jexl3.JexlTestCase; import org.apache.commons.jexl3.MapContext; import org.apache.commons.jexl3.annotations.NoJexl; -import org.apache.commons.jexl3.internal.introspection.Permissions; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -465,7 +463,73 @@ public class SandboxTest extends JexlTestCase { LOGGER.debug(xjm.toString()); } } + public interface SomeInterface { + int bar(); + } + + public static class Foo386 implements SomeInterface { + @Override + public int bar() { + return 42; + } + } + public static class Quux386 extends Foo386 { + @Override + public int bar() { + return -42; + } + } + @Test + public void testInheritedPermission0() { + final Foo386 foo = new Foo386(); + final JexlSandbox sandbox = new JexlSandbox(false, true); + sandbox.permissions(SomeInterface.class.getName(), true, true, true, true); + final JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).safe(false).strict(true).create(); + final JexlScript someOp = sjexl.createScript("foo.bar()", "foo"); + Assert.assertEquals(42, someOp.execute(null, foo)); + } + @Test + public void testNonInheritedPermission0() { + final Foo386 foo = new Foo386(); + final JexlSandbox sandbox = new JexlSandbox(false, true); + sandbox.permissions(SomeInterface.class.getName(), false, true, true, true); + final JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).safe(false).strict(true).create(); + final JexlScript someOp = sjexl.createScript("foo.bar()", "foo"); + + try { + someOp.execute(null, foo); + Assert.fail("should not be possible"); + } catch (final JexlException e) { + // ok + LOGGER.debug(e.toString()); + } + } + @Test + public void testInheritedPermission1() { + final Quux386 foo = new Quux386(); + final JexlSandbox sandbox = new JexlSandbox(false, true); + sandbox.permissions(Foo386.class.getName(), true, true, true, true); + final JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).safe(false).strict(true).create(); + final JexlScript someOp = sjexl.createScript("foo.bar()", "foo"); + Assert.assertEquals(-42, someOp.execute(null, foo)); + } + @Test + public void testNonInheritedPermission1() { + final Quux386 foo = new Quux386(); + final JexlSandbox sandbox = new JexlSandbox(false, true); + sandbox.permissions(Foo386.class.getName(), false, true, true, true); + final JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).safe(false).strict(true).create(); + final JexlScript someOp = sjexl.createScript("foo.bar()", "foo"); + + try { + someOp.execute(null, foo); + Assert.fail("should not be possible"); + } catch (final JexlException e) { + // ok + LOGGER.debug(e.toString()); + } + } public static class Foo42 { public int getFoo() { return 42;