The default bug view has changed. See this FAQ.

ClassShutter doesn't prevent access through Java reflection APIs

RESOLVED FIXED

Status

Rhino
Core
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: Norris Boyd, Assigned: Norris Boyd)

Tracking

1.6R6
x86
Windows XP

Details

(Assignee)

Description

10 years ago
In my application users can write there own scripts for calculation
purposes. In order to prepare them a set of basic functionality (read
out of db or something like that) I wrote some java classes. At java
side, I put an object of these classes to the scope in each case. My
problem is, that the user has the possibility to create new objects of
any class he likes.

To avoid that the user imports java packages inside a script I did the
following:

ScriptableObject.deleteProperty(scope, "Packages");
ScriptableObject.deleteProperty(scope, "java");
ScriptableObject.deleteProperty(scope, "JavaImporter");

Additionally, I defined a ClassShutter object, implementing its only
method like

public boolean visibleToScripts(String fullClassName) {
        return false;

}

and setting this via

Context cx = Context.enter();
cx.setClassShutter(new MyClassShutter());

But there is still one problem remaining.

Everything works fine except when the user uses statements in his
script like

myObj.getClass().getClassLoader().loadClass("path.to.some.package.MyClass").newInstance();

where myObj is a object I put in the scope.
In that case - unlike statements like "new
Packages.some.package.MyClass()" - MyClassShutter is never asked and
so, there is a big security leakage!

Does anyone know how I could avoid that? I simply want the user not to
be allowed to load or use any other object unless the ones I put in the
scope for him.

Regards,
Matthias
(Assignee)

Comment 1

10 years ago
Fixed:

Checking in src/org/mozilla/javascript/JavaMembers.java;
/cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/JavaMembers.java,v  <--  Ja
vaMembers.java
new revision: 1.62.2.1.2.1; previous revision: 1.62.2.1
done
Checking in src/org/mozilla/javascript/resources/Messages.properties;
/cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/resources/Messages.properti
es,v  <--  Messages.properties
new revision: 1.70.2.1.2.1; previous revision: 1.70.2.1
done

Test case demonstrating correct behavior with fix:

[rhino] cat testShutter.js
var prohibited = arguments[0]; // script argument
var shutter = new Packages.org.mozilla.javascript.ClassShutter({
  visibleToScripts: function(name) {
    var result = name != prohibited;
    print("visibleToScripts("+name+") = "+result);
    return result;
}});
shutter.visibleToScripts("myTest");
var cx = Packages.org.mozilla.javascript.Context.getCurrentContext();
cx.setClassShutter(shutter);

var s = new java.lang.String('hi');
var obj = s.getClass().getClass().forName("java.lang.SecurityManager").newInstan
ce();
[rhino] java -jar build/rhino1_6R7/js.jar testShutter.js
visibleToScripts(myTest) = true
visibleToScripts(java.lang.String) = true
visibleToScripts(java.lang.Class) = true
visibleToScripts(java.lang.SecurityManager) = true
[rhino] java -jar build/rhino1_6R7/js.jar testShutter.js java.lang.SecurityMana
ger
visibleToScripts(myTest) = true
visibleToScripts(java.lang.String) = true
visibleToScripts(java.lang.Class) = true
visibleToScripts(java.lang.SecurityManager) = false
js: Access to Java class "java.lang.SecurityManager" is prohibited.
js: org.mozilla.javascript.EvaluatorException: Access to Java class "java.lang.S
ecurityManager" is prohibited.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.