BATIK-1345: Restrict what java classes can be run thru rhino

git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1904549 13f79535-47bb-0310-9956-ffa450edef68
apache · Oct 12, 2022 · 52f7a1a · 52f7a1a
1 parent e41d507
commit 52f7a1a
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
@@ -20,13 +20,17 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 
 import org.mozilla.javascript.ClassShutter;
 
+import java.util.Arrays;
+import java.util.List;
+
 /**
  * Class shutter that restricts access to Batik internals from script.
  *
  * @author <a href="mailto:[email protected]">Thomas DeWeese</a>
  * @version $Id$
  */
 public class RhinoClassShutter implements ClassShutter {
+    private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
 
     /*
     public RhinoClassShutter() {
@@ -55,6 +59,10 @@ public void test(String cls) {
      * Returns whether the given class is visible to scripts.
      */
     public boolean visibleToScripts(String fullClassName) {
+        if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+            return false;
+        }
+
         // Don't let them mess with script engine's internals.
         if (fullClassName.startsWith("org.mozilla.javascript"))
             return false;