Closed
Bug 392825
Opened 17 years ago
Closed 17 years ago
ClassShutter doesn't prevent access through Java reflection APIs
Categories
(Rhino Graveyard :: Core, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: norrisboyd, Assigned: norrisboyd)
Details
In my application users can write there own scripts for calculation purposes. In order to prepare them a set of basic functionality (read out of db or something like that) I wrote some java classes. At java side, I put an object of these classes to the scope in each case. My problem is, that the user has the possibility to create new objects of any class he likes. To avoid that the user imports java packages inside a script I did the following: ScriptableObject.deleteProperty(scope, "Packages"); ScriptableObject.deleteProperty(scope, "java"); ScriptableObject.deleteProperty(scope, "JavaImporter"); Additionally, I defined a ClassShutter object, implementing its only method like public boolean visibleToScripts(String fullClassName) { return false; } and setting this via Context cx = Context.enter(); cx.setClassShutter(new MyClassShutter()); But there is still one problem remaining. Everything works fine except when the user uses statements in his script like myObj.getClass().getClassLoader().loadClass("path.to.some.package.MyClass").newInstance(); where myObj is a object I put in the scope. In that case - unlike statements like "new Packages.some.package.MyClass()" - MyClassShutter is never asked and so, there is a big security leakage! Does anyone know how I could avoid that? I simply want the user not to be allowed to load or use any other object unless the ones I put in the scope for him. Regards, Matthias
Assignee | ||
Comment 1•17 years ago
|
||
Fixed: Checking in src/org/mozilla/javascript/JavaMembers.java; /cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/JavaMembers.java,v <-- Ja vaMembers.java new revision: 1.62.2.1.2.1; previous revision: 1.62.2.1 done Checking in src/org/mozilla/javascript/resources/Messages.properties; /cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/resources/Messages.properti es,v <-- Messages.properties new revision: 1.70.2.1.2.1; previous revision: 1.70.2.1 done Test case demonstrating correct behavior with fix: [rhino] cat testShutter.js var prohibited = arguments[0]; // script argument var shutter = new Packages.org.mozilla.javascript.ClassShutter({ visibleToScripts: function(name) { var result = name != prohibited; print("visibleToScripts("+name+") = "+result); return result; }}); shutter.visibleToScripts("myTest"); var cx = Packages.org.mozilla.javascript.Context.getCurrentContext(); cx.setClassShutter(shutter); var s = new java.lang.String('hi'); var obj = s.getClass().getClass().forName("java.lang.SecurityManager").newInstan ce(); [rhino] java -jar build/rhino1_6R7/js.jar testShutter.js visibleToScripts(myTest) = true visibleToScripts(java.lang.String) = true visibleToScripts(java.lang.Class) = true visibleToScripts(java.lang.SecurityManager) = true [rhino] java -jar build/rhino1_6R7/js.jar testShutter.js java.lang.SecurityMana ger visibleToScripts(myTest) = true visibleToScripts(java.lang.String) = true visibleToScripts(java.lang.Class) = true visibleToScripts(java.lang.SecurityManager) = false js: Access to Java class "java.lang.SecurityManager" is prohibited. js: org.mozilla.javascript.EvaluatorException: Access to Java class "java.lang.S ecurityManager" is prohibited.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•