Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use context.initSafeStandardObjects instead of context.initStandardObjects #12

Open
faikofhh opened this issue Nov 13, 2017 · 2 comments
Open

Use context.initSafeStandardObjects instead of context.initStandardObjects #12

faikofhh opened this issue Nov 13, 2017 · 2 comments
Assignees
@dadza

Comments

@faikofhh
Copy link

faikofhh commented Nov 13, 2017
edited
Loading

https://github.com/Jaspersoft/jasperreports/blob/895d17ad3fb3bc8cdbb961edaa9a073e110a05d0/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptEvaluatorScope.java#L164

using initStandardObjects allow user to inject code in the report designs in order to load/import undesired Java class into JavaScript execution environment. Please consider fix it.

If initStandardObjects must be used, consider creating a JS Context object that uses ClassShutter to whitelist the safe Java classes.
@dadza dadza self-assigned this Dec 12, 2017
dadza added a commit that referenced this issue Dec 13, 2017
@dadza
use protection domain for JavaScript compiled reports (for gh-12)
9616ef8 
JRClassLoader has a ProtectionDomain factory which can be used to control the
permissions of Java and Groovy compiled reports.

The same factory is now used by JavaScriptClassCompiler, which is the default
JavaScript report compiler.
dadza added a commit that referenced this issue Dec 13, 2017
@dadza
Merge branch 'gh-12'
ce08463
dadza added a commit that referenced this issue Dec 13, 2017
@dadza
protection domain for the legacy JavaScript compiler (for gh-12)
91af79e
@dadza
Copy link
Collaborator

dadza commented Dec 13, 2017

initSafeStandardObjects would not work given the current way the builtin variables and parameter/field/variable references are implemented. It might be possible to change the JavaScript compiler so that it works with initSafeStandardObjects, we'll consider that for the future.

What we did for now is to make the security mechanism used for Java and Groovy reports - see here - apply to reports with JavaScripts expressions as well. Granting reports the same permissions no matter the report expression language makes perfect sense.

In addition to restricting thinks like file system access, you can use a Java security policy to restrict access to classes in protected packages via the package.access security property. Having a ClassShutter implementation with a class whitelist for JavaScript reports would be an additional security mechanism, we'll consider it.

dadza added a commit that referenced this issue Jan 16, 2018
@dadza
use protection domain for JavaScript compiled reports (for gh-12)
70ac424 
JRClassLoader has a ProtectionDomain factory which can be used to control the
permissions of Java and Groovy compiled reports.

The same factory is now used by JavaScriptClassCompiler, which is the default
JavaScript report compiler.
dadza added a commit that referenced this issue Jan 16, 2018
@dadza
protection domain for the legacy JavaScript compiler (for gh-12)
f91cdb1
dadza added a commit that referenced this issue Jan 16, 2018
@dadza
use protection domain for JavaScript compiled reports (for gh-12)
cceffdb 
JRClassLoader has a ProtectionDomain factory which can be used to control the
permissions of Java and Groovy compiled reports.

The same factory is now used by JavaScriptClassCompiler, which is the default
JavaScript report compiler.
dadza added a commit that referenced this issue Jan 16, 2018
@dadza
protection domain for the legacy JavaScript compiler (for gh-12)
62ddf40
dadza added a commit that referenced this issue Jan 23, 2018
@dadza
use protection domain for JavaScript compiled reports (for gh-12)
7b6c4b4 
JRClassLoader has a ProtectionDomain factory which can be used to control the
permissions of Java and Groovy compiled reports.

The same factory is now used by JavaScriptClassCompiler, which is the default
JavaScript report compiler.
dadza added a commit that referenced this issue Jan 23, 2018
@dadza
protection domain for the legacy JavaScript compiler (for gh-12)
e71da0f
dadza added a commit that referenced this issue Feb 8, 2018
@dadza
use protection domain for JavaScript compiled reports (for gh-12)
e479a7c 
JRClassLoader has a ProtectionDomain factory which can be used to control the
permissions of Java and Groovy compiled reports.

The same factory is now used by JavaScriptClassCompiler, which is the default
JavaScript report compiler.
dadza added a commit that referenced this issue Feb 8, 2018
@dadza
protection domain for the legacy JavaScript compiler (for gh-12)
06be8ba
@ShaheedHaque
Copy link

ShaheedHaque commented Mar 13, 2019
edited
Loading

Is there a way to load a Javascript script from the filesystem? Does this block that?

[EDIT] Note that I am currently doing stuff like this in my Javascript expressions:

var x = java.io.RandomAccessFile('/home/.../t.txt', 'r');

and I assuming this change will not affect this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dadza dadza

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ShaheedHaque @dadza @faikofhh