8033924: Default permissions are not given for eval code
authorsundar
Fri, 07 Feb 2014 18:47:46 +0530
changeset 23076 8660ebaaa2f2
parent 23075 0e9484b12766
child 23077 251e891dc16d
8033924: Default permissions are not given for eval code Reviewed-by: lagergren, jlaskey
nashorn/src/jdk/nashorn/internal/runtime/Context.java
nashorn/src/jdk/nashorn/internal/runtime/ScriptLoader.java
nashorn/test/script/sandbox/safeprops.js
nashorn/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java
--- a/nashorn/src/jdk/nashorn/internal/runtime/Context.java	Thu Feb 06 17:44:37 2014 +0530
+++ b/nashorn/src/jdk/nashorn/internal/runtime/Context.java	Fri Feb 07 18:47:46 2014 +0530
@@ -956,7 +956,7 @@
 
         final URL          url    = source.getURL();
         final ScriptLoader loader = env._loader_per_compile ? createNewLoader() : scriptLoader;
-        final CodeSource   cs     = url == null ? null : new CodeSource(url, (CodeSigner[])null);
+        final CodeSource   cs     = new CodeSource(url, (CodeSigner[])null);
         final CodeInstaller<ScriptEnvironment> installer = new ContextCodeInstaller(this, loader, cs);
 
         final Compiler compiler = new Compiler(installer, strict);
--- a/nashorn/src/jdk/nashorn/internal/runtime/ScriptLoader.java	Thu Feb 06 17:44:37 2014 +0530
+++ b/nashorn/src/jdk/nashorn/internal/runtime/ScriptLoader.java	Fri Feb 07 18:47:46 2014 +0530
@@ -70,9 +70,8 @@
      * @return Installed class.
      */
     synchronized Class<?> installClass(final String name, final byte[] data, final CodeSource cs) {
-        if (cs == null) {
-            return defineClass(name, data, 0, data.length, new ProtectionDomain(null, getPermissions(null)));
-        }
+        // null check
+        cs.getClass();
         return defineClass(name, data, 0, data.length, cs);
     }
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/sandbox/safeprops.js	Fri Feb 07 18:47:46 2014 +0530
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2014 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * Try to access System properties safe to read for any code.
+ * No security exception expected.
+ *
+ * @test
+ * @security
+ * @run
+ * @bug 8033924: Default permissions are not given for eval code
+ */
+
+var propNames = [
+   "java.version",
+   "java.vendor",
+   "java.vendor.url",
+   "java.class.version",
+   "os.name",
+   "os.version",
+   "os.arch",
+   "file.separator",
+   "path.separator",
+   "line.separator",
+   "java.specification.version",
+   "java.specification.vendor",
+   "java.specification.name",
+   "java.vm.specification.version",
+   "java.vm.specification.vendor",
+   "java.vm.specification.name",
+   "java.vm.version",
+   "java.vm.vendor",
+   "java.vm.name"
+];
+
+// no security exception expected
+for (var p in propNames) {
+    java.lang.System.getProperty(propNames[p]);
+}
+
+// no security exception expected
+for (var p in propNames) {
+    var name = propNames[p];
+    eval('java.lang.System.getProperty(name)');
+}
--- a/nashorn/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java	Thu Feb 06 17:44:37 2014 +0530
+++ b/nashorn/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java	Fri Feb 07 18:47:46 2014 +0530
@@ -560,6 +560,47 @@
         assertTrue(reached[0]);
     }
 
+    // properties that can be read by any code
+    private static String[] propNames = {
+        "java.version",
+        "java.vendor",
+        "java.vendor.url",
+        "java.class.version",
+        "os.name",
+        "os.version",
+        "os.arch",
+        "file.separator",
+        "path.separator",
+        "line.separator",
+        "java.specification.version",
+        "java.specification.vendor",
+        "java.specification.name",
+        "java.vm.specification.version",
+        "java.vm.specification.vendor",
+        "java.vm.specification.name",
+        "java.vm.version",
+        "java.vm.vendor",
+        "java.vm.name"
+    };
+
+    // @bug 8033924: Default permissions are not given for eval code
+    @Test
+    public void checkPropertyReadPermissions() throws ScriptException {
+        final ScriptEngineManager m = new ScriptEngineManager();
+        final ScriptEngine e = m.getEngineByName("nashorn");
+
+        for (final String name : propNames) {
+            checkProperty(e, name);
+        }
+    }
+
+    private static void checkProperty(final ScriptEngine e, final String name)
+        throws ScriptException {
+        String value = System.getProperty(name);
+        e.put("name", name);
+        assertEquals(value, e.eval("java.lang.System.getProperty(name)"));
+    }
+
     private static final String LINE_SEPARATOR = System.getProperty("line.separator");
 
     // Returns String that would be the result of calling PrintWriter.println