Implement dynamically loaded whitelist

EOCV-Sim/src/main/java/com/github/serivesmejia/eocvsim/gui/component/visualizer/CreateSourcePanel.kt

@@ -41,12 +41,6 @@ class CreateSourcePanel(eocvSim: EOCVSim) : JPanel(GridLayout(2, 1)) {
             { it.coolName }, { SourceType.fromCoolName(it) }
     )
 
-    private val cameraDriverComboBox = EnumComboBox(
-            "Camera driver: ", WebcamDriver::class.java, WebcamDriver.values(),
-            { it.name.replace("_", " ") }, { WebcamDriver.valueOf(it.replace(" ", "_")) }
-
-    )
-
     private val sourceSelectPanel    = JPanel(FlowLayout(FlowLayout.CENTER))
 
     private val nextButton = JButton("Next")

EOCV-Sim/src/main/java/com/github/serivesmejia/eocvsim/gui/component/visualizer/InputSourceDropTarget.kt

@@ -1,3 +1,26 @@
+/*
+ * Copyright (c) 2024 Sebastian Erives
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+
 package com.github.serivesmejia.eocvsim.gui.component.visualizer
 
 import com.github.serivesmejia.eocvsim.EOCVSim
@@ -12,10 +35,6 @@ import java.io.File
 
 class InputSourceDropTarget(val eocvSim: EOCVSim) : DropTarget() {
 
-    companion object {
-        private const val TAG = "InputSourceDropTarget"
-    }
-
     val logger by loggerForThis()
 
     @Suppress("UNCHECKED_CAST")
@@ -41,4 +60,4 @@ class InputSourceDropTarget(val eocvSim: EOCVSim) : DropTarget() {
         }
     }
 
-}
+}

EOCV-Sim/src/main/java/com/github/serivesmejia/eocvsim/gui/component/visualizer/PipelineOpModeSwitchablePanel.kt

@@ -1,3 +1,26 @@
+/*
+ * Copyright (c) 2024 Sebastian Erives
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+
 package com.github.serivesmejia.eocvsim.gui.component.visualizer
 
 import com.github.serivesmejia.eocvsim.EOCVSim

EOCV-Sim/src/main/java/com/github/serivesmejia/eocvsim/gui/component/visualizer/TelemetryPanel.kt

@@ -1,3 +1,26 @@
+/*
+ * Copyright (c) 2024 Sebastian Erives
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+
 package com.github.serivesmejia.eocvsim.gui.component.visualizer
 
 import org.firstinspires.ftc.robotcore.external.Telemetry

EOCV-Sim/src/main/java/com/github/serivesmejia/eocvsim/pipeline/compiler/PipelineClassLoader.kt

@@ -29,6 +29,7 @@ import com.github.serivesmejia.eocvsim.util.extension.removeFromEnd
 import io.github.deltacv.eocvsim.sandbox.restrictions.MethodCallByteCodeChecker
 import io.github.deltacv.eocvsim.sandbox.restrictions.dynamicLoadingMethodBlacklist
 import io.github.deltacv.eocvsim.sandbox.restrictions.dynamicLoadingPackageBlacklist
+import io.github.deltacv.eocvsim.sandbox.restrictions.dynamicLoadingPackageWhitelist
 import org.openftc.easyopencv.OpenCvPipeline
 import java.io.ByteArrayOutputStream
 import java.io.File
@@ -77,14 +78,27 @@ class PipelineClassLoader(pipelinesJar: File) : ClassLoader() {
         if(clazz == null) {
             for(blacklistedPackage in dynamicLoadingPackageBlacklist) {
                 if (name.contains(blacklistedPackage)) {
-                    throw IllegalAccessError("Dynamically loaded pipelines are not authorized to use $name")
+                    throw IllegalAccessError("Dynamically loaded pipelines are blacklisted to use $name")
                 }
             }
 
             try {
                 clazz = loadClass(zipFile.getEntry(name.replace('.', '/') + ".class"))
                 if(resolve) resolveClass(clazz)
             } catch(e: Exception) {
+                var inWhitelist = false
+
+                for(whiteListedPackage in dynamicLoadingPackageWhitelist) {
+                    if(name.contains(whiteListedPackage)) {
+                        inWhitelist = true
+                        break
+                    }
+                }
+
+                if(!inWhitelist) {
+                    throw IllegalAccessError("Dynamically loaded pipelines are not whitelisted to use $name")
+                }
+
                 clazz = Class.forName(name) // fallback to the system classloader
             }
         }

EOCV-Sim/src/main/java/io/github/deltacv/eocvsim/plugin/loader/PluginClassLoader.kt

@@ -28,6 +28,7 @@ import com.github.serivesmejia.eocvsim.util.extension.removeFromEnd
 import io.github.deltacv.eocvsim.sandbox.restrictions.MethodCallByteCodeChecker
 import io.github.deltacv.eocvsim.sandbox.restrictions.dynamicLoadingMethodBlacklist
 import io.github.deltacv.eocvsim.sandbox.restrictions.dynamicLoadingPackageBlacklist
+import io.github.deltacv.eocvsim.sandbox.restrictions.dynamicLoadingPackageWhitelist
 import java.io.ByteArrayOutputStream
 import java.io.File
 import java.io.IOException
@@ -81,7 +82,7 @@ class PluginClassLoader(private val pluginJar: File, val pluginContext: PluginCo
         if(!pluginContext.hasSuperAccess) {
             for (blacklistedPackage in dynamicLoadingPackageBlacklist) {
                 if (name.contains(blacklistedPackage)) {
-                    throw IllegalAccessError("Plugins are not authorized to use $name")
+                    throw IllegalAccessError("Plugins are blacklisted to use $name")
                 }
             }
         }
@@ -97,6 +98,19 @@ class PluginClassLoader(private val pluginJar: File, val pluginContext: PluginCo
                 clazz = loadClassStrict(name)
                 if(resolve) resolveClass(clazz)
             } catch(e: Exception) {
+                var inWhitelist = false
+
+                for(whiteListedPackage in dynamicLoadingPackageWhitelist) {
+                    if(name.contains(whiteListedPackage)) {
+                        inWhitelist = true
+                        break
+                    }
+                }
+
+                if(!inWhitelist && !pluginContext.hasSuperAccess) {
+                    throw IllegalAccessError("Plugins are not whitelisted to use $name")
+                }
+
                 // fallback to the system classloader
                 clazz = Class.forName(name)
             }

EOCV-Sim/src/main/java/io/github/deltacv/eocvsim/sandbox/restrictions/DynamicLoadingClassRestrictions.kt

@@ -23,6 +23,33 @@
 
 package io.github.deltacv.eocvsim.sandbox.restrictions
 
+val dynamicLoadingPackageWhitelist = setOf(
+    "java.lang",
+    "java.util",
+    "java.awt",
+    "javax.swing",
+    "java.nio",
+    "java.io.File",
+
+    "kotlin",
+
+    "com.github.serivesmejia.eocvsim",
+    "io.github.deltacv.eocvsim",
+    "org.firstinspires.ftc",
+    "com.qualcomm",
+    "org.opencv",
+    "org.openftc",
+    "android",
+
+    "com.moandjiezana.toml",
+    "net.lingala.zip4j",
+    "com.google.gson",
+    "com.google.jimfs",
+    "org.slf4j",
+    "com.apache.logging",
+    "com.formdev.flatlaf"
+)
+
 val dynamicLoadingPackageBlacklist  = setOf(
     // System and Runtime Classes
     "java.lang.Runtime",
@@ -35,24 +62,9 @@ val dynamicLoadingPackageBlacklist  = setOf(
     "java.nio.file.Files",
     "java.nio.file.FileSystems",
 
-    // Security and Encryption
-    "javax.crypto.Cipher",
-    "javax.crypto.KeyGenerator",
-    "javax.crypto.SecretKey",
-
-    // Security Management
-    "java.security.AccessController",
-    "java.security.KeyStore",
-    "java.security.PrivilegedAction",
-
     // Thread and Process Management
     "java.lang.Process",
 
-    // Dynamic Code Execution
-    "javax.script.ScriptEngineManager",
-    "javax.script.ScriptEngine",
-    "sun.misc",
-
     // EOCV-Sim dangerous utils
     "com.github.serivesmejia.eocvsim.util.SysUtil",
     "com.github.serivesmejia.eocvsim.util.io",
@@ -63,8 +75,7 @@ val dynamicLoadingPackageBlacklist  = setOf(
     "com.github.serivesmejia.eocvsim.util.compiler",
     "com.github.serivesmejia.eocvsim.config",
 
-    "io.github.deltacv.eocvsim.plugin.sandbox.nio.JimfsWatcher",
-    "io.github.deltacv.eocvsim.plugin.sandbox.nio.ZipToJimfs"
+    "io.github.deltacv.eocvsim.plugin.sandbox.nio.JimfsWatcher"
 )
 
 val dynamicLoadingMethodBlacklist = setOf(
@@ -82,5 +93,14 @@ val dynamicLoadingMethodBlacklist = setOf(
     "java.io.File#delete",
     "java.io.File#createNewFile",
     "java.io.File#mkdirs",
-    "java.io.File#renameTo"
+    "java.io.File#renameTo",
+    "java.io.File#setExecutable",
+    "java.io.File#setReadable",
+    "java.io.File#setWritable",
+    "java.io.File#setLastModified",
+    "java.io.File#deleteOnExit",
+    "java.io.File#setReadOnly",
+    "java.io.File#setWritable",
+    "java.io.File#setReadable",
+    "java.io.File#setExecutable",
 )