private static void setJavaClassesVisibleInvisibleSandbox(Context cx) { cx.setClassShutter(new ClassShutter() { public boolean visibleToScripts(String className) { // No Java classes allowed inside scripts return false; } }); }
static synchronized ClassShutter getInstance() { if (theInstance == null) { theInstance = new RhinoClassShutter(); protectedClasses = new HashMap<String,Boolean>(); // For now, we just have AccessController. Allowing scripts // to this class will allow it to execute doPrivileged in // bootstrap context. We can add more classes for other reasons. protectedClasses.put("java.security.AccessController", Boolean.TRUE); } return theInstance; }
static synchronized ClassShutter getInstance() { if (theInstance == null) { theInstance = new RhinoClassShutter(); protectedClasses = new HashMap<String, Boolean>(); // For now, we just have AccessController. Allowing scripts // to this class will allow it to execute doPrivileged in // bootstrap context. We can add more classes for other reasons. protectedClasses.put("java.security.AccessController", Boolean.TRUE); } return theInstance; }
private void secureContext(Context context) { context.setClassShutter(new ClassShutter() { public boolean visibleToScripts(String className) { if(className.startsWith("adapter") || className.startsWith("org.jpmml")) return true; return false; } }); }
/** * This executes the command. In ChannelCommands, this will set up a Context for Rhino to use to execute the * command's JavaScript, which will be obtained from {@link #getJavaScript()}. Two global variables will be passed * to the script: <code>event</code> and <code>args</code>, the same that are used in this method. * <code>event</code> will always be a {@link MessageEvent}. If any exceptions occur while the JavaScript is being * processed, they will be caught and pasted. * * @param event Event of receiving command * @param callInfo Information received at the calling of this command * @param args Arguments passed to the command */ @Override public final void onCommand(GenericMessageEvent event, CallInfo callInfo, String[] args) { if (!(event instanceof MessageEvent)) return; // these commands should only be channel messages final MessageEvent me = (MessageEvent) event; final Context c = ContextFactory.getGlobal().enterContext(); c.setClassShutter(new ClassShutter() { @Override public boolean visibleToScripts(String className) { if (className.equals("org.royaldev.royalbot.BotUtils")) return true; // allow BotUtils else if (className.equals("org.pircbotx.PircBotX")) return false; // no bot access else if (className.startsWith("org.royaldev.royalbot")) return false; // no package access return true; } }); final Scriptable s = c.initStandardObjects(); ScriptableObject.putProperty(s, "event", Context.javaToJS(me, s)); // provide message event for ease ScriptableObject.putProperty(s, "args", Context.javaToJS(args, s)); // supply arguments try { c.evaluateString(s, getJavaScript(), getName(), 1, null); } catch (Throwable t) { if (t instanceof OutOfMemoryError) { rb.getLogger().warning("Channel command (\"" + getName() + "\") produced OutOfMemoryError! Removing."); rb.getCommandHandler().unregister(getName()); } final String url = BotUtils.linkToStackTrace(t); notice(event, "Exception!" + ((url != null) ? " (" + url + ")" : "")); } finally { Context.exit(); } }
@SuppressWarnings("nls") public Scriptable getScope(Context jsContext) { Scriptable scope = new ImporterTopLevel(jsContext); for( String name : scriptObjects.keySet() ) { Object obj = scriptObjects.get(name); if( obj instanceof Boolean ) { scope.put(name, scope, obj); } else if( obj != null ) { Scriptable jsArgs = Context.toObject(obj, scope); scope.put(name, scope, jsArgs); } } // Remove the ability to create new Java objects in the script. List // comes from https://bugzilla.mozilla.org/show_bug.cgi?id=468385 scope.delete("Packages"); scope.delete("JavaImporter"); scope.delete("JavaAdapter"); scope.delete("getClass"); scope.delete("java"); scope.delete("javax"); scope.delete("com"); scope.delete("net"); scope.delete("edu"); scope.delete("org"); try { // Prevent existingObject.getClass().forName('...') jsContext.setClassShutter(new ClassShutter() { @Override public boolean visibleToScripts(String className) { return !className.equals("java.lang.Class"); } }); } catch( SecurityException se ) { // ignore - there's no way to test presence of ClassShutter // (indicative of a Context provided by calling module: ReportEngine // for example) other than by attempting to set ClassShutter. // See #8135 } return scope; }
@Override protected TimeLimitContext makeContext() { TimeLimitContext context = new TimeLimitContext(); context.setWrapFactory(new WrapFactory() { @Override public Scriptable wrapAsJavaObject(Context cx, Scriptable scope, Object javaObject, java.lang.Class<?> staticType) { return new NativeJavaObject(scope, javaObject, getClass()) { private static final long serialVersionUID = 1L; @Override public Object get(String name, Scriptable start) { if (name.equals("getClass")) return NOT_FOUND; return super.get(name, start); } }; } }); context.setClassShutter(new ClassShutter() { @Override public boolean visibleToScripts(String fullClassName) { Class<?> clz; try { clz = Class.forName(fullClassName); } catch (ClassNotFoundException e) { e.printStackTrace(); return false; } if(ScriptBinding.class.isAssignableFrom(clz)) return true; if(clz.equals(String.class)) return true; return false; } }); return context; }
