commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Woonsan Ko (JIRA)" <>
Subject [jira] [Commented] (JEXL-253) Permissions by super type in JexlSandbox
Date Thu, 25 Jan 2018 18:05:00 GMT


Woonsan Ko commented on JEXL-253:

JexlContext is filled with objects by the sandbox provider. I assume it is the provider's
responsibility to make sure of its safety. When they add a Set object while Set is a white
super type, they have a chance to review what they're doing, for instance. If we add a warning
in the javadoc on {{#permissionsByType(...)}}, I think it's good enough.

> Permissions by super type in JexlSandbox
> ----------------------------------------
>                 Key: JEXL-253
>                 URL:
>             Project: Commons JEXL
>          Issue Type: New Feature
>            Reporter: Woonsan Ko
>            Priority: Major
> At the moment, the permissions in {{JexlSandbox}} takes the object's class name only
into the consideration. So, if someone adds {{java.util.Set}} into the white list, but if
the real object is an empty set ({{Collections.emptySet()}}), then it cannot allow invocations
on {{#contains(Object)}} operation, for instance.
> I think it would be very convenient if it optionally allows to set whites or blacks based
on super type (interfaces or base classes).
> To minimize the effort, I'd suggest adding {{JexlSandbox#permissionsByType(Class<?>
type, ...)}}, where the {{type}} means the object type or any super types.
> So, if {{JexlSandbox#permissionsByType(java.util.Set.class, ...)}}, then any invocations
on any concrete {{java.util.Set}} objects will be affected by that.
> Related e-mail thread: "[JEXL] white list classes, not by interfaces?" (10/19/17).

This message was sent by Atlassian JIRA

View raw message