[jira] [Created] (JEXL-424) Permission error after upgraded to JDK 21

Fri, 14 Jun 2024 01:26:03 -0700 

Xu Pengcheng created JEXL-424:
---------------------------------

             Summary: Permission error after upgraded to JDK 21
                 Key: JEXL-424
                 URL: https://issues.apache.org/jira/browse/JEXL-424
             Project: Commons JEXL
          Issue Type: Bug
    Affects Versions: 3.3
            Reporter: Xu Pengcheng


{code:java}
JexlSandbox sandbox = new JexlSandbox(false, true);
sandbox.permissions(Map.class.getName(), true, true, true, true);
...
String jexlCode = "x.foo = 'bar';" 
JexlEngine engine =
    new Engine(
        new JexlBuilder()
            .sandbox(sandbox)
            .safe(false)
            .strict(true));
Map<String, Object> vars = new LinkedHashMap<>();
vars.put("x",  new LinkedHashMap<>());
engine.createScript(jexlCode).execute(new MapContext(vars)); {code}
The code is ok with JDK11, but caused an error "undefined property 'foo'" with 
JDK21.

 

I did some debug and found the problem is

JDK11:  LinkedHashMap implements Map

JDK21: LinkedHashMap implements SequencedMap extends Map

and from 
[JexlSandbox.java#L540|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java#L540]]
{code:java}
                for (final Class<?> inter : clazz.getInterfaces()) {
                    permissions = sandbox.get(inter.getName());
                    if (permissions != null) {
                        if (permissions.isInheritable()) {
                            break;
                        }
                        permissions = null;
                    }
                } {code}
sandbox only checks the direct interfaces but not check it's super interface, 
but for class permission check, it looks into its parents, is it by design or a 
bug.

 

And also because which checking permission of class, it does not check it's 
interface's permission, the result of class is not stable in case parent class 
has permission from it's interface.

for example:
{code:java}
interface I{}
static class A implements I{}
static class B extends A{}

@Test
void testPermission() {
  JexlSandbox sandbox = new JexlSandbox(false, true);
  sandbox.permissions(I.class.getName(), true, true, true, false);
  System.out.println("permission A=" + sandbox.get(A.class.getName()).write());
  System.out.println("permission B=" + sandbox.get(B.class.getName()).write());
}
 {code}
result is 

permission 
A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
permission 
B=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13

but if checking B befoer A, the result is 

permission B=org.apache.commons.jexl3.introspection.JexlSandbox$2@6c1832aa
permission 
A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@47ad69f7

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to