mobeigi
/
filebot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* make sure ehcache calls work in sandboxed expressions

This commit is contained in:
Reinhard Pointner 2011-12-25 09:35:41 +00:00
parent 11facfa8ab
commit cb1aa12201
1 changed files with 20 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
source/net/sourceforge/filebot/format/ExpressionFormat.java
View File

@ -7,6 +7,7 @@ import static net.sourceforge.tuned.FileUtilities.*;
import groovy.lang.GroovyRuntimeException; import groovy.lang.GroovyRuntimeException;
import groovy.lang.MissingPropertyException; import groovy.lang.MissingPropertyException;
import java.io.File;
import java.io.FilePermission; import java.io.FilePermission;
import java.io.InputStreamReader; import java.io.InputStreamReader;
import java.net.SocketPermission; import java.net.SocketPermission;
@ -47,13 +48,13 @@ public class ExpressionFormat extends Format {
private ScriptException lastException; private ScriptException lastException;
public ExpressionFormat(String expression) throws ScriptException { public ExpressionFormat(String expression) throws ScriptException {
this.expression = expression; this.expression = expression;
this.compilation = secure(compile(expression, (Compilable) initScriptEngine())); this.compilation = secure(compile(expression, (Compilable) initScriptEngine()));
} }
protected ScriptEngine initScriptEngine() throws ScriptException { protected ScriptEngine initScriptEngine() throws ScriptException {
// use Groovy script engine // use Groovy script engine
ScriptEngine engine = new GroovyScriptEngineFactory().getScriptEngine(); ScriptEngine engine = new GroovyScriptEngineFactory().getScriptEngine();
@ -61,12 +62,12 @@ public class ExpressionFormat extends Format {
return engine; return engine;
} }
public String getExpression() { public String getExpression() {
return expression; return expression;
} }
protected Object[] compile(String expression, Compilable engine) throws ScriptException { protected Object[] compile(String expression, Compilable engine) throws ScriptException {
List<Object> compilation = new ArrayList<Object>(); List<Object> compilation = new ArrayList<Object>();
@ -140,7 +141,7 @@ public class ExpressionFormat extends Format {
return compilation.toArray(); return compilation.toArray();
} }
public Bindings getBindings(Object value) { public Bindings getBindings(Object value) {
return new ExpressionBindings(value) { return new ExpressionBindings(value) {
@ -151,13 +152,13 @@ public class ExpressionFormat extends Format {
}; };
} }
@Override @Override
public StringBuffer format(Object object, StringBuffer sb, FieldPosition pos) { public StringBuffer format(Object object, StringBuffer sb, FieldPosition pos) {
return format(getBindings(object), sb); return format(getBindings(object), sb);
} }
public StringBuffer format(Bindings bindings, StringBuffer sb) { public StringBuffer format(Bindings bindings, StringBuffer sb) {
// use privileged bindings so we are not restricted by the script sandbox // use privileged bindings so we are not restricted by the script sandbox
Bindings priviledgedBindings = PrivilegedInvocation.newProxy(Bindings.class, bindings, AccessController.getContext()); Bindings priviledgedBindings = PrivilegedInvocation.newProxy(Bindings.class, bindings, AccessController.getContext());
@ -188,7 +189,7 @@ public class ExpressionFormat extends Format {
return sb; return sb;
} }
protected Object normalizeBindingValue(Object value) { protected Object normalizeBindingValue(Object value) {
// if the binding value is a String, remove illegal characters // if the binding value is a String, remove illegal characters
if (value instanceof CharSequence) { if (value instanceof CharSequence) {
@ -199,12 +200,12 @@ public class ExpressionFormat extends Format {
return value; return value;
} }
protected Object normalizeExpressionValue(Object value) { protected Object normalizeExpressionValue(Object value) {
return value; return value;
} }
protected void handleException(ScriptException exception) { protected void handleException(ScriptException exception) {
if (findCause(exception, MissingPropertyException.class) != null) { if (findCause(exception, MissingPropertyException.class) != null) {
lastException = new ExpressionException(new BindingException(findCause(exception, MissingPropertyException.class).getProperty(), "undefined", exception)); lastException = new ExpressionException(new BindingException(findCause(exception, MissingPropertyException.class).getProperty(), "undefined", exception));
@ -215,12 +216,12 @@ public class ExpressionFormat extends Format {
} }
} }
public ScriptException caughtScriptException() { public ScriptException caughtScriptException() {
return lastException; return lastException;
} }
private Object[] secure(Object[] compilation) { private Object[] secure(Object[] compilation) {
// create sandbox AccessControlContext // create sandbox AccessControlContext
AccessControlContext sandbox = new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, getSandboxPermissions()) }); AccessControlContext sandbox = new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, getSandboxPermissions()) });
@ -236,12 +237,13 @@ public class ExpressionFormat extends Format {
return compilation; return compilation;
} }
private PermissionCollection getSandboxPermissions() { private PermissionCollection getSandboxPermissions() {
Permissions permissions = new Permissions(); Permissions permissions = new Permissions();
permissions.add(new RuntimePermission("createClassLoader")); permissions.add(new RuntimePermission("createClassLoader"));
permissions.add(new FilePermission("<<ALL FILES>>", "read")); permissions.add(new FilePermission("<<ALL FILES>>", "read"));
permissions.add(new FilePermission(new File(System.getProperty("java.io.tmpdir")).getAbsolutePath() + File.separator, "write"));
permissions.add(new SocketPermission("*", "connect")); permissions.add(new SocketPermission("*", "connect"));
permissions.add(new PropertyPermission("*", "read")); permissions.add(new PropertyPermission("*", "read"));
permissions.add(new RuntimePermission("getenv.*")); permissions.add(new RuntimePermission("getenv.*"));
@ -249,19 +251,19 @@ public class ExpressionFormat extends Format {
return permissions; return permissions;
} }
private static class SecureCompiledScript extends CompiledScript { private static class SecureCompiledScript extends CompiledScript {
private final CompiledScript compiledScript; private final CompiledScript compiledScript;
private final AccessControlContext sandbox; private final AccessControlContext sandbox;
private SecureCompiledScript(CompiledScript compiledScript, AccessControlContext sandbox) { private SecureCompiledScript(CompiledScript compiledScript, AccessControlContext sandbox) {
this.compiledScript = compiledScript; this.compiledScript = compiledScript;
this.sandbox = sandbox; this.sandbox = sandbox;
} }
@Override @Override
public Object eval(final ScriptContext context) throws ScriptException { public Object eval(final ScriptContext context) throws ScriptException {
try { try {
@ -286,7 +288,7 @@ public class ExpressionFormat extends Format {
} }
} }
@Override @Override
public ScriptEngine getEngine() { public ScriptEngine getEngine() {
return compiledScript.getEngine(); return compiledScript.getEngine();
@ -294,7 +296,7 @@ public class ExpressionFormat extends Format {
} }
@Override @Override
public Object parseObject(String source, ParsePosition pos) { public Object parseObject(String source, ParsePosition pos) {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();