From 7b6c4b44e4561bfa384d6625dd2aa5fee9509ee7 Mon Sep 17 00:00:00 2001
From: Lucian Chirita <lucianc@users.sourceforge.net>
Date: Wed, 13 Dec 2017 09:45:42 +0200
Subject: [PATCH] use protection domain for JavaScript compiled reports (for
 gh-12)

JRClassLoader has a ProtectionDomain factory which can be used to control the
permissions of Java and Groovy compiled reports.

The same factory is now used by JavaScriptClassCompiler, which is the default
JavaScript report compiler.
---
 .../compilers/JavaScriptClassLoader.java      | 28 ++++++++++++++++++-
 .../engine/util/JRClassLoader.java            |  2 +-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptClassLoader.java b/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptClassLoader.java
index 808a4a71da..c5735c5aa0 100644
--- a/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptClassLoader.java
+++ b/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptClassLoader.java
@@ -25,6 +25,10 @@
 
 import net.sf.jasperreports.compilers.JavaScriptCompiledData.CompiledClass;
 import net.sf.jasperreports.engine.JRRuntimeException;
+import net.sf.jasperreports.engine.util.JRClassLoader;
+import net.sf.jasperreports.engine.util.ProtectionDomainFactory;
+
+import java.security.ProtectionDomain;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -46,6 +50,8 @@ public class JavaScriptClassLoader extends DefiningClassLoader
 	public static final String EXCEPTION_MESSAGE_KEY_INSTANCE_ERROR = "compilers.javascript.instance.error";
 	public static final String EXCEPTION_MESSAGE_KEY_LOAD_ERROR = "compilers.javascript.load.error";
 	
+	private volatile ProtectionDomain protectionDomain;
+	
 	public JavaScriptClassLoader()
 	{
 		super(Codegen.class.getClassLoader());
@@ -93,7 +99,9 @@ protected synchronized Class<? extends Script> loadExpressionClass(CompiledClass
 
 			try
 			{
-				scriptClass = defineClass(className, compiledClass.getClassBytes());
+				ProtectionDomain domain = getProtectionDomain();
+				byte[] classBytes = compiledClass.getClassBytes();
+				scriptClass = defineClass(className, classBytes, 0, classBytes.length, domain);
 				linkClass(scriptClass);
 			}
 			catch (SecurityException e)
@@ -116,6 +124,24 @@ protected synchronized Class<? extends Script> loadExpressionClass(CompiledClass
 		
 		return (Class<? extends Script>) scriptClass;
 	}
+
+	protected ProtectionDomain getProtectionDomain()
+	{
+		ProtectionDomain domain = protectionDomain;
+		if (domain == null)
+		{
+			synchronized (this)
+			{
+				domain = protectionDomain;
+				if (domain == null)
+				{
+					ProtectionDomainFactory protectionDomainFactory = JRClassLoader.getProtectionDomainFactory();
+					domain = protectionDomain = protectionDomainFactory.getProtectionDomain(this);
+				}
+			}
+		}
+		return domain;
+	}
 	
 	@Override
 	public String toString()
diff --git a/jasperreports/src/net/sf/jasperreports/engine/util/JRClassLoader.java b/jasperreports/src/net/sf/jasperreports/engine/util/JRClassLoader.java
index 48303a7e44..b634f8ce37 100644
--- a/jasperreports/src/net/sf/jasperreports/engine/util/JRClassLoader.java
+++ b/jasperreports/src/net/sf/jasperreports/engine/util/JRClassLoader.java
@@ -38,7 +38,7 @@ public class JRClassLoader extends ClassLoader
 
 	private static ProtectionDomainFactory protectionDomainFactory;
 	
-	protected static synchronized ProtectionDomainFactory getProtectionDomainFactory()
+	public static synchronized ProtectionDomainFactory getProtectionDomainFactory()
 	{
 		if (protectionDomainFactory == null)
 		{