8008305: ScriptEngine.eval should offer the ability to provide a codebase
authorsundar
Mon, 18 Feb 2013 14:41:58 +0530
changeset 16243 f5fdf89e1583
parent 16242 c928b16d6ccd
child 16244 12f06c992c3a
8008305: ScriptEngine.eval should offer the ability to provide a codebase Reviewed-by: lagergren, hannesw, attila
nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java
nashorn/src/jdk/nashorn/api/scripting/URLReader.java
nashorn/test/script/trusted/JDK-8008305.js
nashorn/test/script/trusted/JDK-8008305_subtest.js
nashorn/test/script/trusted/urlreader.js
--- a/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java	Fri Feb 15 20:40:05 2013 +0530
+++ b/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java	Mon Feb 18 14:41:58 2013 +0530
@@ -119,7 +119,12 @@
     @Override
     public Object eval(final Reader reader, final ScriptContext ctxt) throws ScriptException {
         try {
-            return evalImpl(Source.readFully(reader), ctxt);
+            if (reader instanceof URLReader) {
+                final URL url = ((URLReader)reader).getURL();
+                return evalImpl(compileImpl(new Source(url.toString(), url), ctxt), ctxt);
+            } else {
+                return evalImpl(Source.readFully(reader), ctxt);
+            }
         } catch (final IOException e) {
             throw new ScriptException(e);
         }
@@ -442,14 +447,16 @@
     }
 
     private ScriptFunction compileImpl(final char[] buf, final ScriptContext ctxt) throws ScriptException {
+        final Object val = ctxt.getAttribute(ScriptEngine.FILENAME);
+        final String fileName = (val != null) ? val.toString() : "<eval>";
+        return compileImpl(new Source(fileName, buf), ctxt);
+    }
+
+    private ScriptFunction compileImpl(final Source source, final ScriptContext ctxt) throws ScriptException {
         final ScriptObject oldGlobal = getNashornGlobal();
         final ScriptObject ctxtGlobal = getNashornGlobalFrom(ctxt);
         final boolean globalChanged = (oldGlobal != ctxtGlobal);
         try {
-            final Object val = ctxt.getAttribute(ScriptEngine.FILENAME);
-            final String fileName = (val != null) ? val.toString() : "<eval>";
-
-            final Source source = new Source(fileName, buf);
             if (globalChanged) {
                 setNashornGlobal(ctxtGlobal);
             }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/src/jdk/nashorn/api/scripting/URLReader.java	Mon Feb 18 14:41:58 2013 +0530
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.nashorn.api.scripting;
+
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.URL;
+
+/**
+ * A Reader that reads from a URL. Used to make sure that the reader
+ * reads content from given URL and can be trusted to do so.
+ */
+public final class URLReader extends Reader {
+    // underlying URL
+    private URL url;
+    // lazily initialized underlying reader for URL
+    private Reader reader;
+
+    public URLReader(final URL url) {
+        this.url = url;
+    }
+
+    @Override
+    public int read(char cbuf[], int off, int len) throws IOException {
+        return getReader().read(cbuf, off, len);
+    }
+
+    @Override
+    public void close() throws IOException {
+        getReader().close();
+    }
+
+    /**
+     * URL of this reader
+     * @return the URL from which this reader reads.
+     */
+    public URL getURL() {
+        return url;
+    }
+
+    // lazily initialize char array reader using URL content
+    private Reader getReader() throws IOException {
+        synchronized (lock) {
+            if (reader == null) {
+                reader = new InputStreamReader(url.openStream());
+            }
+        }
+
+        return reader;
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/trusted/JDK-8008305.js	Mon Feb 18 14:41:58 2013 +0530
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ * 
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ * 
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ * 
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ * 
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * JDK-8008305: ScriptEngine.eval should offer the ability to provide a codebase *
+ * @test
+ * @run
+ */
+
+var URLReader = Java.type("jdk.nashorn.api.scripting.URLReader");
+var File = Java.type("java.io.File");
+var FileReader = Java.type("java.io.FileReader");
+var ScriptEngineManager = Java.type("javax.script.ScriptEngineManager");
+var SecurityException = Java.type("java.lang.SecurityException");
+
+var m = new ScriptEngineManager();
+var e = m.getEngineByName("nashorn");
+
+
+// subtest script file
+var scriptFile = new File(__DIR__ + "JDK-8008305_subtest.js");
+
+// evaluate the subtest via a URLReader
+var res = e.eval(new URLReader(scriptFile.toURI().toURL()));
+
+// subtest should execute with AllPermission and so return absolute path
+if (! res.equals(new File(".").getAbsolutePath())) {
+    fail("eval result is not equal to expected value");
+}
+
+// try same subtest without URLReader and so it runs with null code source
+try {
+    e.eval(new FileReader(scriptFile));
+    fail("Expected SecurityException from script!");
+} catch (e) {
+    if (! (e instanceof SecurityException)) {
+        faile("Expected SecurityException, but got " + e);
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/trusted/JDK-8008305_subtest.js	Mon Feb 18 14:41:58 2013 +0530
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ * 
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ * 
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ * 
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ * 
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+
+/**
+ * JDK-8008305: ScriptEngine.eval should offer the ability to provide a codebase *
+ * @subtest
+ */
+
+// If this test runs with sandbox permissions, the following should
+// result in SecurityException or else it should succeed.
+
+new java.io.File(".").getAbsolutePath();
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/trusted/urlreader.js	Mon Feb 18 14:41:58 2013 +0530
@@ -0,0 +1,27 @@
+/**
+ * JDK-8008305: ScriptEngine.eval should offer the ability to provide a codebase
+ *
+ * @test
+ * @run
+ */
+
+var URLReader = Java.type("jdk.nashorn.api.scripting.URLReader");
+var URL = Java.type("java.net.URL");
+var File = Java.type("java.io.File");
+var JString = Java.type("java.lang.String");
+var Source = Java.type("jdk.nashorn.internal.runtime.Source");
+
+var url = new File(__FILE__).toURI().toURL();
+var reader = new URLReader(url);
+
+// check URLReader.getURL() method
+//Assert.assertEquals(url, reader.getURL());
+
+// check URL read
+// read URL content by directly reading from URL
+var str = new Source(url.toString(), url).getString();
+// read URL content via URLReader
+var content = new JString(Source.readFully(reader));
+
+// assert that the content is same
+Assert.assertEquals(str, content);