protection domain for the legacy JavaScript compiler (for gh-12)

TIBCOSoftware · Dec 15, 2017 · f91cdb1 · f91cdb1
1 parent 70ac424
commit f91cdb1
Showing 1 changed file with 30 additions and 1 deletion.
diff --git a/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptEvaluatorScope.java b/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptEvaluatorScope.java
@@ -23,6 +23,7 @@
  */
 package net.sf.jasperreports.compilers;
 
+import java.security.ProtectionDomain;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
@@ -34,6 +35,8 @@
 import net.sf.jasperreports.engine.fill.JRFillField;
 import net.sf.jasperreports.engine.fill.JRFillParameter;
 import net.sf.jasperreports.engine.fill.JRFillVariable;
+import net.sf.jasperreports.engine.util.JRClassLoader;
+import net.sf.jasperreports.engine.util.ProtectionDomainFactory;
 import net.sf.jasperreports.functions.FunctionsUtil;
 
 import org.apache.commons.logging.Log;
@@ -43,6 +46,8 @@
 import org.mozilla.javascript.EvaluatorException;
 import org.mozilla.javascript.Script;
 import org.mozilla.javascript.ScriptableObject;
+import org.mozilla.javascript.optimizer.Codegen;
+import org.mozilla.javascript.tools.shell.JavaPolicySecurity;
 
 /**
  * @author Lucian Chirita ([email protected])
@@ -145,6 +150,7 @@ public Object getEstimatedValue()
 
 	private Context context;
 	private ScriptableObject scope;
+	private volatile ProtectionDomain protectionDomain;
 	private Map<String, Script> compiledExpressions = new HashMap<String, Script>();
 
 	public JavaScriptEvaluatorScope(JasperReportsContext jrContext, JREvaluator evaluator, FunctionsUtil functionsUtil)
@@ -160,6 +166,9 @@ public JavaScriptEvaluatorScope(JasperReportsContext jrContext, JREvaluator eval
 
 		context.getWrapFactory().setJavaPrimitiveWrap(false);
 
+		//using a protection domain in getCompiledExpression
+		context.setSecurityController(new JavaPolicySecurity());
+
 		JavaScriptFunctionsObject functionsObject = new JavaScriptFunctionsObject(context, functionsUtil, evaluator);
 		this.scope = context.initStandardObjects();
 		// is this OK?  the original prototype set by initStandardObjects is lost, and functionsObject has no prototype.
@@ -251,6 +260,7 @@ public void setScopeVariable(String name, Object value)
 		scope.put(name, scope, value);
 	}
 
+	//TODO move expression compilation to a separate class
 	protected Script getCompiledExpression(String expression)
 	{
 		Script compiledExpression = compiledExpressions.get(expression);
@@ -263,12 +273,31 @@ protected Script getCompiledExpression(String expression)
 
 			ensureContext();
 
-			compiledExpression = context.compileString(expression, "expression", 0, null);
+			compiledExpression = context.compileString(expression, "expression", 0, getProtectionDomain());
 			compiledExpressions.put(expression, compiledExpression);
 		}
 		return compiledExpression;
 	}
 
+	protected ProtectionDomain getProtectionDomain()
+	{
+		ProtectionDomain domain = protectionDomain;
+		if (domain == null)
+		{
+			synchronized (this)
+			{
+				domain = protectionDomain;
+				if (domain == null)
+				{
+					ProtectionDomainFactory protectionDomainFactory = JRClassLoader.getProtectionDomainFactory();
+					domain = protectionDomain = protectionDomainFactory.getProtectionDomain(
+							Codegen.class.getClassLoader());
+				}
+			}
+		}
+		return domain;
+	}
+
 	// enter a precreated context, or a new one if null is passed
 	protected static Context enter(Context context)
 	{