Closed Bug 392825 Opened 17 years ago Closed 17 years ago

ClassShutter doesn't prevent access through Java reflection APIs

Categories

(Rhino Graveyard :: Core, defect)

Product:
Rhino Graveyard
Component:
Core
Version:
1.6R6
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: norrisboyd, Assigned: norrisboyd)

Details

In my application users can write there own scripts for calculation
purposes. In order to prepare them a set of basic functionality (read
out of db or something like that) I wrote some java classes. At java
side, I put an object of these classes to the scope in each case. My
problem is, that the user has the possibility to create new objects of
any class he likes.

To avoid that the user imports java packages inside a script I did the
following:

ScriptableObject.deleteProperty(scope, "Packages");
ScriptableObject.deleteProperty(scope, "java");
ScriptableObject.deleteProperty(scope, "JavaImporter");

Additionally, I defined a ClassShutter object, implementing its only
method like

public boolean visibleToScripts(String fullClassName) {
        return false;

}

and setting this via

Context cx = Context.enter();
cx.setClassShutter(new MyClassShutter());

But there is still one problem remaining.

Everything works fine except when the user uses statements in his
script like

myObj.getClass().getClassLoader().loadClass("path.to.some.package.MyClass").newInstance();

where myObj is a object I put in the scope.
In that case - unlike statements like "new
Packages.some.package.MyClass()" - MyClassShutter is never asked and
so, there is a big security leakage!

Does anyone know how I could avoid that? I simply want the user not to
be allowed to load or use any other object unless the ones I put in the
scope for him.

Regards,
Matthias
Fixed:

Checking in src/org/mozilla/javascript/JavaMembers.java;
/cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/JavaMembers.java,v  <--  Ja
vaMembers.java
new revision: 1.62.2.1.2.1; previous revision: 1.62.2.1
done
Checking in src/org/mozilla/javascript/resources/Messages.properties;
/cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/resources/Messages.properti
es,v  <--  Messages.properties
new revision: 1.70.2.1.2.1; previous revision: 1.70.2.1
done

Test case demonstrating correct behavior with fix:

[rhino] cat testShutter.js
var prohibited = arguments[0]; // script argument
var shutter = new Packages.org.mozilla.javascript.ClassShutter({
  visibleToScripts: function(name) {
    var result = name != prohibited;
    print("visibleToScripts("+name+") = "+result);
    return result;
}});
shutter.visibleToScripts("myTest");
var cx = Packages.org.mozilla.javascript.Context.getCurrentContext();
cx.setClassShutter(shutter);

var s = new java.lang.String('hi');
var obj = s.getClass().getClass().forName("java.lang.SecurityManager").newInstan
ce();
[rhino] java -jar build/rhino1_6R7/js.jar testShutter.js
visibleToScripts(myTest) = true
visibleToScripts(java.lang.String) = true
visibleToScripts(java.lang.Class) = true
visibleToScripts(java.lang.SecurityManager) = true
[rhino] java -jar build/rhino1_6R7/js.jar testShutter.js java.lang.SecurityMana
ger
visibleToScripts(myTest) = true
visibleToScripts(java.lang.String) = true
visibleToScripts(java.lang.Class) = true
visibleToScripts(java.lang.SecurityManager) = false
js: Access to Java class "java.lang.SecurityManager" is prohibited.
js: org.mozilla.javascript.EvaluatorException: Access to Java class "java.lang.S
ecurityManager" is prohibited.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.