Xu Pengcheng created JEXL-424: --------------------------------- Summary: Permission error after upgraded to JDK 21 Key: JEXL-424 URL: https://issues.apache.org/jira/browse/JEXL-424 Project: Commons JEXL Issue Type: Bug Affects Versions: 3.3 Reporter: Xu Pengcheng
{code:java} JexlSandbox sandbox = new JexlSandbox(false, true); sandbox.permissions(Map.class.getName(), true, true, true, true); ... String jexlCode = "x.foo = 'bar';" JexlEngine engine = new Engine( new JexlBuilder() .sandbox(sandbox) .safe(false) .strict(true)); Map<String, Object> vars = new LinkedHashMap<>(); vars.put("x", new LinkedHashMap<>()); engine.createScript(jexlCode).execute(new MapContext(vars)); {code} The code is ok with JDK11, but caused an error "undefined property 'foo'" with JDK21. I did some debug and found the problem is JDK11: LinkedHashMap implements Map JDK21: LinkedHashMap implements SequencedMap extends Map and from [JexlSandbox.java#L540|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java#L540]] {code:java} for (final Class<?> inter : clazz.getInterfaces()) { permissions = sandbox.get(inter.getName()); if (permissions != null) { if (permissions.isInheritable()) { break; } permissions = null; } } {code} sandbox only checks the direct interfaces but not check it's super interface, but for class permission check, it looks into its parents, is it by design or a bug. And also because which checking permission of class, it does not check it's interface's permission, the result of class is not stable in case parent class has permission from it's interface. for example: {code:java} interface I{} static class A implements I{} static class B extends A{} @Test void testPermission() { JexlSandbox sandbox = new JexlSandbox(false, true); sandbox.permissions(I.class.getName(), true, true, true, false); System.out.println("permission A=" + sandbox.get(A.class.getName()).write()); System.out.println("permission B=" + sandbox.get(B.class.getName()).write()); } {code} result is permission A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13 permission B=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13 but if checking B befoer A, the result is permission B=org.apache.commons.jexl3.introspection.JexlSandbox$2@6c1832aa permission A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@47ad69f7 -- This message was sent by Atlassian Jira (v8.20.10#820010)