commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hen...@apache.org
Subject svn commit: r1197040 - in /commons/proper/jexl/trunk: RELEASE-NOTES.txt src/site/xdoc/changes.xml src/test/java/org/apache/commons/jexl2/SandboxTest.java
Date Thu, 03 Nov 2011 10:03:48 GMT
Author: henrib
Date: Thu Nov  3 10:03:47 2011
New Revision: 1197040

URL: http://svn.apache.org/viewvc?rev=1197040&view=rev
Log:
Updated changes and release notes;
Added a sandbox test (protect call to System, etc)

Modified:
    commons/proper/jexl/trunk/RELEASE-NOTES.txt
    commons/proper/jexl/trunk/src/site/xdoc/changes.xml
    commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java

Modified: commons/proper/jexl/trunk/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/RELEASE-NOTES.txt?rev=1197040&r1=1197039&r2=1197040&view=diff
==============================================================================
--- commons/proper/jexl/trunk/RELEASE-NOTES.txt (original)
+++ commons/proper/jexl/trunk/RELEASE-NOTES.txt Thu Nov  3 10:03:47 2011
@@ -41,9 +41,10 @@ What's new in 2.1:
 * A more thorough arithmetic (JexlArithmetic) that allows fine control over decimals (scale
and precision), a
   new syntax for numeric literals (OGNL inspired Big and Huge notations) and a better type
handling keeping the most
   appropriate representation in casual operations.
-* The introduction of script variables and parameters that reduce context dependencies and
methods that allow some
-  checks performed after script creation (light static checking hints). Plus the ability
to call script from scripts.
+* The introduction of script variables and parameters that reduce context dependencies and
methods; this allows to
+  perform checks after script creation (light static checking hints). Plus the ability to
call script from scripts.
 * A sandoxing feature to restrict and rename what JEXL can access from the environment allowing
tighter control over security.
+* Extensions to UnifiedJEXL that allow the creation of templates.
 
 New features in 2.1:
 ====================	
@@ -52,6 +53,8 @@ New features in 2.1:
 * JEXL-118:     Provide an IN operator
 * JEXL-115:     Add support for asynchronous script execution and cancellation
 * JEXL-116:     Add control over classes, methods, constructors and properties allowed in
scripts
+* JEXL-120:     Add simple template features
+* JEXL-119:     Allow indexed properties container resolution in expressions
 * JEXL-106:     When divide two BigDecimal values in an expression it results in java.lang.ArithmeticException
 * JEXL-102:     Add "jexl2" as a supported name
 

Modified: commons/proper/jexl/trunk/src/site/xdoc/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/src/site/xdoc/changes.xml?rev=1197040&r1=1197039&r2=1197040&view=diff
==============================================================================
--- commons/proper/jexl/trunk/src/site/xdoc/changes.xml (original)
+++ commons/proper/jexl/trunk/src/site/xdoc/changes.xml Thu Nov  3 10:03:47 2011
@@ -26,6 +26,12 @@
   </properties>
   <body>
     <release version="2.1" date="unreleased">
+        <action dev="henrib" type="add" issue="JEXL-121">
+            Add simple template features
+        </action>
+        <action dev="henrib" type="fix" issue="JEXL-120" due-to="Lukas Krecan">
+            Make ParseException work in sandboxed environment
+        </action>
         <action dev="henrib" type="add" issue="JEXL-119">
             Allow indexed properties container resolution in expressions
         </action>

Modified: commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java
URL: http://svn.apache.org/viewvc/commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java?rev=1197040&r1=1197039&r2=1197040&view=diff
==============================================================================
--- commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java (original)
+++ commons/proper/jexl/trunk/src/test/java/org/apache/commons/jexl2/SandboxTest.java Thu
Nov  3 10:03:47 2011
@@ -193,7 +193,7 @@ public class SandboxTest extends JexlTes
         script = sjexl.createScript(expr, "foo");
         result = script.execute(null, foo);
         assertEquals(foo.alias, result);
-        
+
         script = sjexl.createScript("foo.ALIAS", "foo");
         result = script.execute(null, foo);
         assertEquals(foo.alias, result);
@@ -216,4 +216,43 @@ public class SandboxTest extends JexlTes
         assertEquals("43", result);
         assertEquals("43", foo.alias);
     }
+
+    public void testRestrict() throws Exception {
+        JexlContext context = new MapContext();
+        context.set("System", System.class);
+        Sandbox sandbox = new Sandbox();
+        // only allow call to currentTimeMillis (avoid exit, gc, loadLibrary, etc)
+        sandbox.white(System.class.getName()).execute("currentTimeMillis");
+        // can not create a new file
+        sandbox.black(java.io.File.class.getName()).execute("");
+
+        Uberspect uber = new SandboxUberspectImpl(null, sandbox);
+        JexlEngine sjexl = new JexlEngine(uber, null, null, null);
+        sjexl.setStrict(true);
+
+        String expr;
+        Script script;
+        Object result;
+        
+        script = sjexl.createScript("System.exit()");
+        try {
+            result = script.execute(context);
+            fail("should not allow calling exit!");
+        } catch (JexlException xjexl) {
+            LOGGER.info(xjexl.toString());
+        }
+                
+        script = sjexl.createScript("new('java.io.File', '/tmp/should-not-be-created')");
+        try {
+            result = script.execute(context);
+            fail("should not allow creating a file");
+        } catch (JexlException xjexl) {
+            LOGGER.info(xjexl.toString());
+        }
+        
+        expr = "System.currentTimeMillis()";
+        script = sjexl.createScript("System.currentTimeMillis()");
+        result = script.execute(context);
+        assertNotNull(result);
+    }
 }



Mime
View raw message