8025771: Enhance Nashorn Contexts
authorsundar
Fri, 04 Oct 2013 16:21:29 +0530
changeset 20567 5621fc356049
parent 20566 9da5fbf43096
child 20568 73b001e77ff5
8025771: Enhance Nashorn Contexts Reviewed-by: jlaskey, hannesw
nashorn/make/java.security.override
nashorn/make/project.properties
nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java
nashorn/src/jdk/nashorn/internal/runtime/Context.java
nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java
nashorn/src/jdk/nashorn/internal/runtime/linker/NashornStaticClassLinker.java
nashorn/test/script/basic/JDK-8023026.js
nashorn/test/script/sandbox/arrayclass.js
nashorn/test/script/sandbox/arrayclass.js.EXPECTED
--- a/nashorn/make/java.security.override	Tue Oct 01 14:38:56 2013 +0530
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,14 +0,0 @@
-# We would like to avoid references from anywhere outside nashorn
-# to codegen, IR and parser packages, in particular script generated classes.
-# We ensure that by overriding "package.access" security property.
-
-# The following "package.access" value was copied from  default java.security 
-# of jre/lib/security and appended with nashorn sensitive packages.
-
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageAccess unless the
-# corresponding RuntimePermission ("accessClassInPackage."+package) has
-# been granted.
-package.access=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.glassfish.external.,com.sun.org.glassfish.gmbal.,jdk.internal.,jdk.nashorn.internal.,jdk.nashorn.tools.
--- a/nashorn/make/project.properties	Tue Oct 01 14:38:56 2013 +0530
+++ b/nashorn/make/project.properties	Fri Oct 04 16:21:29 2013 +0530
@@ -234,7 +234,7 @@
 #-XX:-UseCompressedKlassPointers -XX:+PrintHeapAtGC -XX:ClassMetaspaceSize=300M  
 run.test.jvmargs.octane.main=${run.test.jvmargs.common}
 
-run.test.jvmsecurityargs=-Xverify:all -Djava.security.properties=${basedir}/make/java.security.override -Djava.security.manager -Djava.security.policy=${basedir}/build/nashorn.policy
+run.test.jvmsecurityargs=-Xverify:all -Djava.security.manager -Djava.security.policy=${basedir}/build/nashorn.policy
 
 # VM options for script tests with @fork option
 test-sys-prop.test.fork.jvm.options=${run.test.jvmargs.main} -Xmx${run.test.xmx} ${run.test.jvmsecurityargs}
--- a/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java	Tue Oct 01 14:38:56 2013 +0530
+++ b/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java	Fri Oct 04 16:21:29 2013 +0530
@@ -313,7 +313,7 @@
             if (! Modifier.isPublic(clazz.getModifiers())) {
                 throw new SecurityException(getMessage("implementing.non.public.interface", clazz.getName()));
             }
-            Context.checkPackageAccess(clazz.getName());
+            Context.checkPackageAccess(clazz);
         }
 
         ScriptObject realSelf = null;
--- a/nashorn/src/jdk/nashorn/internal/runtime/Context.java	Tue Oct 01 14:38:56 2013 +0530
+++ b/nashorn/src/jdk/nashorn/internal/runtime/Context.java	Fri Oct 04 16:21:29 2013 +0530
@@ -620,36 +620,53 @@
     }
 
     /**
-     * Checks that the given package can be accessed from no permissions context.
+     * Checks that the given Class can be accessed from no permissions context.
      *
-     * @param fullName fully qualified package name
+     * @param clazz Class object
      * @throw SecurityException if not accessible
      */
-    public static void checkPackageAccess(final String fullName) {
-        final int index = fullName.lastIndexOf('.');
-        if (index != -1) {
-            final SecurityManager sm = System.getSecurityManager();
-            if (sm != null) {
-                AccessController.doPrivileged(new PrivilegedAction<Void>() {
-                    @Override
-                    public Void run() {
-                        sm.checkPackageAccess(fullName.substring(0, index));
-                        return null;
-                    }
-                }, NO_PERMISSIONS_ACC_CTXT);
+    public static void checkPackageAccess(final Class clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            Class bottomClazz = clazz;
+            while(bottomClazz.isArray()) {
+                bottomClazz = bottomClazz.getComponentType();
             }
+            checkPackageAccess(sm, bottomClazz.getName());
         }
     }
 
     /**
      * Checks that the given package can be accessed from no permissions context.
      *
+     * @param sm current security manager instance
      * @param fullName fully qualified package name
+     * @throw SecurityException if not accessible
+     */
+    private static void checkPackageAccess(final SecurityManager sm, final String fullName) {
+        sm.getClass(); // null check
+        final int index = fullName.lastIndexOf('.');
+        if (index != -1) {
+            final String pkgName = fullName.substring(0, index);
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                @Override
+                public Void run() {
+                    sm.checkPackageAccess(pkgName);
+                    return null;
+                }
+            }, NO_PERMISSIONS_ACC_CTXT);
+        }
+    }
+
+    /**
+     * Checks that the given Class can be accessed from no permissions context.
+     *
+     * @param clazz Class object
      * @return true if package is accessible, false otherwise
      */
-    public static boolean isAccessiblePackage(final String fullName) {
+    private static boolean isAccessiblePackage(final Class clazz) {
         try {
-            checkPackageAccess(fullName);
+            checkPackageAccess(clazz);
             return true;
         } catch (final SecurityException se) {
             return false;
@@ -663,7 +680,7 @@
      * @return true if Class is accessible, false otherwise
      */
     public static boolean isAccessibleClass(final Class<?> clazz) {
-        return Modifier.isPublic(clazz.getModifiers()) && Context.isAccessiblePackage(clazz.getName());
+        return Modifier.isPublic(clazz.getModifiers()) && Context.isAccessiblePackage(clazz);
     }
 
     /**
@@ -677,8 +694,16 @@
      * @throws ClassNotFoundException if class cannot be resolved
      */
     public Class<?> findClass(final String fullName) throws ClassNotFoundException {
+        if (fullName.indexOf('[') != -1 || fullName.indexOf('/') != -1) {
+            // don't allow array class names or internal names.
+            throw new ClassNotFoundException(fullName);
+        }
+
         // check package access as soon as possible!
-        checkPackageAccess(fullName);
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkPackageAccess(sm, fullName);
+        }
 
         // try the script -classpath loader, if that is set
         if (classPathLoader != null) {
--- a/nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java	Tue Oct 01 14:38:56 2013 +0530
+++ b/nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java	Fri Oct 04 16:21:29 2013 +0530
@@ -109,7 +109,7 @@
         if (sm != null) {
             for (Class<?> type : types) {
                 // check for restricted package access
-                Context.checkPackageAccess(type.getName());
+                Context.checkPackageAccess(type);
             }
         }
         return getAdapterInfo(types).getAdapterClassFor(classOverrides);
--- a/nashorn/src/jdk/nashorn/internal/runtime/linker/NashornStaticClassLinker.java	Tue Oct 01 14:38:56 2013 +0530
+++ b/nashorn/src/jdk/nashorn/internal/runtime/linker/NashornStaticClassLinker.java	Fri Oct 04 16:21:29 2013 +0530
@@ -70,7 +70,7 @@
         // We intercept "new" on StaticClass instances to provide additional capabilities
         if ("new".equals(desc.getNameToken(CallSiteDescriptor.OPERATOR))) {
             // make sure new is on accessible Class
-            Context.checkPackageAccess(receiverClass.getName());
+            Context.checkPackageAccess(receiverClass);
 
             // Is the class abstract? (This includes interfaces.)
             if (NashornLinker.isAbstractClass(receiverClass)) {
--- a/nashorn/test/script/basic/JDK-8023026.js	Tue Oct 01 14:38:56 2013 +0530
+++ b/nashorn/test/script/basic/JDK-8023026.js	Fri Oct 04 16:21:29 2013 +0530
@@ -48,7 +48,7 @@
         function(x) x*x));
 }
 
-var array = new (Java.type("[I"))(4);
+var array = new (Java.type("int[]"))(4);
 for (var i in array) {
     array[i] = i;
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/sandbox/arrayclass.js	Fri Oct 04 16:21:29 2013 +0530
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ * 
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ * 
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ * 
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ * 
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * Try to access array class of a sensitive class like Unsafe.
+ *
+ * @test
+ * @security
+ * @run
+ */
+
+try {
+    var unsafeArr = Java.type("[Lsun.misc.Unsafe;");
+    fail("No Exception for [Lsun.misc.Unsafe;");
+} catch (e) {
+    print(e);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/sandbox/arrayclass.js.EXPECTED	Fri Oct 04 16:21:29 2013 +0530
@@ -0,0 +1,1 @@
+java.lang.ClassNotFoundException: [Lsun.misc.Unsafe;