killme2008 · killme2008 · Oct 3, 2023 · Sep 18, 2023
diff --git a/src/main/java/com/googlecode/aviator/AviatorEvaluatorInstance.java b/src/main/java/com/googlecode/aviator/AviatorEvaluatorInstance.java
@@ -58,6 +58,7 @@
 import com.googlecode.aviator.code.interpreter.InterpretCodeGenerator;
 import com.googlecode.aviator.exception.CompileExpressionErrorException;
 import com.googlecode.aviator.exception.ExpressionNotFoundException;
+import com.googlecode.aviator.exception.ExpressionRuntimeException;
 import com.googlecode.aviator.exception.ExpressionSyntaxErrorException;
 import com.googlecode.aviator.exception.UnsupportedFeatureException;
 import com.googlecode.aviator.lexer.ExpressionLexer;
@@ -1885,4 +1886,37 @@ public StringSegments compileStringSegments(final String lexeme, final String so
       return new StringSegments(Collections.<StringSegment>emptyList(), 0);
     }
   }
+
+
+  /**
+   * check if class is in Options.ALLOWED_CLASS_SET
+   *
+   * @param checkIfAllow check or not
+   * @param clazz        the class for check
+   * @return the class for check
+   */
+  public Class<?> checkIfClassIsAllowed(final boolean checkIfAllow, final Class<?> clazz) {
+    if (checkIfAllow) {
+      Set<Class<?>> allowedList = this.getOptionValue(Options.ALLOWED_CLASS_SET).classes;
+      if (allowedList != null) {
+        // Null list means allowing all classes
+        if (!allowedList.contains(clazz)) {
+          throw new ExpressionRuntimeException(
+                  "`" + clazz + "` is not in allowed class set, check Options.ALLOWED_CLASS_SET");
+        }
+      }
+      Set<Class<?>> assignableList =
+              this.getOptionValue(Options.ASSIGNABLE_ALLOWED_CLASS_SET).classes;
+      if (assignableList != null) {
+        for (Class<?> aClass : assignableList) {
+          if (aClass.isAssignableFrom(clazz)) {
+            return clazz;
+          }
+        }
+        throw new ExpressionRuntimeException(
+                "`" + clazz + "` is not in allowed class set, check Options.ALLOWED_CLASS_SET");
+      }
+    }
+    return clazz;
+  }
 }
diff --git a/src/main/java/com/googlecode/aviator/utils/Env.java b/src/main/java/com/googlecode/aviator/utils/Env.java
@@ -34,8 +34,6 @@
 import com.googlecode.aviator.AviatorEvaluatorInstance;
 import com.googlecode.aviator.Expression;
 import com.googlecode.aviator.Feature;
-import com.googlecode.aviator.Options;
-import com.googlecode.aviator.exception.ExpressionRuntimeException;
 import com.googlecode.aviator.runtime.function.FunctionUtils;
 import com.googlecode.aviator.runtime.type.Range;
 
@@ -199,32 +197,7 @@ public Class<?> resolveClassSymbol(final String name, final boolean checkIfAllow
       throw new ClassNotFoundException(name);
     }
     put2cache(name, clazz);
-    return checkIfClassIsAllowed(checkIfAllow, clazz);
-  }
-
-  private Class<?> checkIfClassIsAllowed(final boolean checkIfAllow, final Class<?> clazz) {
-    if (checkIfAllow) {
-      Set<Class<?>> allowedList = this.instance.getOptionValue(Options.ALLOWED_CLASS_SET).classes;
-      if (allowedList != null) {
-        // Null list means allowing all classes
-        if (!allowedList.contains(clazz)) {
-          throw new ExpressionRuntimeException(
-              "`" + clazz + "` is not in allowed class set, check Options.ALLOWED_CLASS_SET");
-        }
-      }
-      Set<Class<?>> assignableList =
-          this.instance.getOptionValue(Options.ASSIGNABLE_ALLOWED_CLASS_SET).classes;
-      if (assignableList != null) {
-        for (Class<?> aClass : assignableList) {
-          if (aClass.isAssignableFrom(clazz)) {
-            return clazz;
-          }
-        }
-        throw new ExpressionRuntimeException(
-            "`" + clazz + "` is not in allowed class set, check Options.ALLOWED_CLASS_SET");
-      }
-    }
-    return clazz;
+    return this.instance.checkIfClassIsAllowed(checkIfAllow, clazz);
   }
 
   private Class<?> resolveFromImportedPackages(final String name) {

diff --git a/src/main/java/com/googlecode/aviator/utils/Reflector.java b/src/main/java/com/googlecode/aviator/utils/Reflector.java
@@ -797,6 +797,9 @@ public static Object fastGetProperty(final String name, final String[] names,
 
       if (target.innerClazz != null) {
         final AviatorEvaluatorInstance instance = RuntimeUtils.getInstance(env);
+        // check innerClazz is allowed
+        instance.checkIfClassIsAllowed(true, target.innerClazz);
+
         if (tryResolveStaticMethod && instance.isFeatureEnabled(Feature.StaticMethods)
             && names.length == 2) {
           val = fastGetProperty(target.innerClazz, rName, PropertyType.StaticMethod);