Last Comment Bug 392825 - ClassShutter doesn't prevent access through Java reflection APIs
: ClassShutter doesn't prevent access through Java reflection APIs
Status: RESOLVED FIXED
:
Product: Rhino
Classification: Components
Component: Core (show other bugs)
: 1.6R6
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Norris Boyd
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-19 17:21 PDT by Norris Boyd
Modified: 2007-08-19 17:25 PDT (History)
0 users
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Norris Boyd 2007-08-19 17:21:44 PDT
In my application users can write there own scripts for calculation
purposes. In order to prepare them a set of basic functionality (read
out of db or something like that) I wrote some java classes. At java
side, I put an object of these classes to the scope in each case. My
problem is, that the user has the possibility to create new objects of
any class he likes.

To avoid that the user imports java packages inside a script I did the
following:

ScriptableObject.deleteProperty(scope, "Packages");
ScriptableObject.deleteProperty(scope, "java");
ScriptableObject.deleteProperty(scope, "JavaImporter");

Additionally, I defined a ClassShutter object, implementing its only
method like

public boolean visibleToScripts(String fullClassName) {
        return false;

}

and setting this via

Context cx = Context.enter();
cx.setClassShutter(new MyClassShutter());

But there is still one problem remaining.

Everything works fine except when the user uses statements in his
script like

myObj.getClass().getClassLoader().loadClass("path.to.some.package.MyClass").newInstance();

where myObj is a object I put in the scope.
In that case - unlike statements like "new
Packages.some.package.MyClass()" - MyClassShutter is never asked and
so, there is a big security leakage!

Does anyone know how I could avoid that? I simply want the user not to
be allowed to load or use any other object unless the ones I put in the
scope for him.

Regards,
Matthias
Comment 1 Norris Boyd 2007-08-19 17:25:59 PDT
Fixed:

Checking in src/org/mozilla/javascript/JavaMembers.java;
/cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/JavaMembers.java,v  <--  Ja
vaMembers.java
new revision: 1.62.2.1.2.1; previous revision: 1.62.2.1
done
Checking in src/org/mozilla/javascript/resources/Messages.properties;
/cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/resources/Messages.properti
es,v  <--  Messages.properties
new revision: 1.70.2.1.2.1; previous revision: 1.70.2.1
done

Test case demonstrating correct behavior with fix:

[rhino] cat testShutter.js
var prohibited = arguments[0]; // script argument
var shutter = new Packages.org.mozilla.javascript.ClassShutter({
  visibleToScripts: function(name) {
    var result = name != prohibited;
    print("visibleToScripts("+name+") = "+result);
    return result;
}});
shutter.visibleToScripts("myTest");
var cx = Packages.org.mozilla.javascript.Context.getCurrentContext();
cx.setClassShutter(shutter);

var s = new java.lang.String('hi');
var obj = s.getClass().getClass().forName("java.lang.SecurityManager").newInstan
ce();
[rhino] java -jar build/rhino1_6R7/js.jar testShutter.js
visibleToScripts(myTest) = true
visibleToScripts(java.lang.String) = true
visibleToScripts(java.lang.Class) = true
visibleToScripts(java.lang.SecurityManager) = true
[rhino] java -jar build/rhino1_6R7/js.jar testShutter.js java.lang.SecurityMana
ger
visibleToScripts(myTest) = true
visibleToScripts(java.lang.String) = true
visibleToScripts(java.lang.Class) = true
visibleToScripts(java.lang.SecurityManager) = false
js: Access to Java class "java.lang.SecurityManager" is prohibited.
js: org.mozilla.javascript.EvaluatorException: Access to Java class "java.lang.S
ecurityManager" is prohibited.

Note You need to log in before you can comment on or make changes to this bug.