From 83f865690dc0652526a70f673fc768cf0656949c Mon Sep 17 00:00:00 2001 From: Avishka-Shamendra Date: Fri, 26 Jan 2024 11:56:28 +0530 Subject: [PATCH 1/3] Add support to config java access control through JS in script mediator --- .../synapse/mediators/bsf/ScriptMediator.java | 90 +++++++++++++++++++ .../control/AccessControlConstants.java | 31 +++++++ .../access/control/AccessControlUtils.java | 66 ++++++++++++++ .../access/control/SandboxContextFactory.java | 42 +++++++++ .../control/SandboxNativeJavaObject.java | 57 ++++++++++++ .../access/control/SandboxWrapFactory.java | 42 +++++++++ .../control/config/AccessControlConfig.java | 51 +++++++++++ .../control/config/AccessControlListType.java | 32 +++++++ 8 files changed, 411 insertions(+) create mode 100644 modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlConstants.java create mode 100644 modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlUtils.java create mode 100644 modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxContextFactory.java create mode 100644 modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxNativeJavaObject.java create mode 100644 modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxWrapFactory.java create mode 100644 modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/config/AccessControlConfig.java create mode 100644 modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/config/AccessControlListType.java diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/ScriptMediator.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/ScriptMediator.java index b94bfb4693..befa753553 100644 --- a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/ScriptMediator.java +++ b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/ScriptMediator.java @@ -37,14 +37,22 @@ import org.apache.synapse.core.axis2.Axis2MessageContext; import org.apache.synapse.mediators.AbstractMediator; import org.apache.synapse.mediators.Value; +import org.apache.synapse.mediators.bsf.access.control.AccessControlUtils; +import org.apache.synapse.mediators.bsf.access.control.SandboxContextFactory; +import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; +import org.apache.synapse.mediators.bsf.access.control.config.AccessControlListType; import org.apache.synapse.mediators.eip.EIPUtils; +import org.mozilla.javascript.ClassShutter; import org.mozilla.javascript.Context; +import org.mozilla.javascript.ContextFactory; import javax.activation.DataHandler; import javax.script.*; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; +import java.util.Arrays; +import java.util.Comparator; import java.util.List; import java.util.Map; import java.util.Properties; @@ -52,6 +60,13 @@ import java.util.concurrent.BlockingQueue; import java.util.concurrent.LinkedBlockingQueue; +import static org.apache.synapse.mediators.bsf.access.control.AccessControlConstants.CLASS_PREFIXES; +import static org.apache.synapse.mediators.bsf.access.control.AccessControlConstants.ENABLE; +import static org.apache.synapse.mediators.bsf.access.control.AccessControlConstants.LIMIT_CLASS_ACCESS_PREFIX; +import static org.apache.synapse.mediators.bsf.access.control.AccessControlConstants.LIMIT_NATIVE_OBJECT_ACCESS_PREFIX; +import static org.apache.synapse.mediators.bsf.access.control.AccessControlConstants.LIST_TYPE; +import static org.apache.synapse.mediators.bsf.access.control.AccessControlConstants.OBJECT_NAMES; + /** * A Synapse mediator that calls a function in any scripting language supported by the BSF. * The ScriptMediator supports scripts specified in-line or those loaded through a registry @@ -175,6 +190,16 @@ public class ScriptMediator extends AbstractMediator { */ private ScriptEngineFactory oracleNashornFactory; + /** + * Store java class access control config + */ + private AccessControlConfig classAccessControlConfig; + + /** + * Store java method access config + */ + private AccessControlConfig nativeObjectAccessControlConfig; + /** * Create a script mediator for the given language and given script source. * @@ -275,6 +300,9 @@ private boolean invokeScript(MessageContext synCtx) { //if the engine is Rhino then needs to set the class loader specifically if (language.equals("js")) { Context cx = Context.enter(); + if (classAccessControlConfig != null && classAccessControlConfig.isAccessControlEnabled()) { + cx.setClassShutter(createClassShutter()); + } cx.setApplicationClassLoader(this.loader); } @@ -646,6 +674,12 @@ protected void initScriptEngine() { this.multiThreadedEngine = scriptEngine.getFactory().getParameter("THREADING") != null; log.debug("Script mediator for language : " + language + " supports multithreading? : " + multiThreadedEngine); + + readAccessControlConfigurations(MiscellaneousUtil.loadProperties("synapse.properties")); + if (nativeObjectAccessControlConfig != null && nativeObjectAccessControlConfig.isAccessControlEnabled() && + !ContextFactory.hasExplicitGlobal()) { + ContextFactory.initGlobal(new SandboxContextFactory(nativeObjectAccessControlConfig)); + } } public String getLanguage() { @@ -717,4 +751,60 @@ private ScriptEngineFactory getOracleNashornFactory() { return null; } + /** + * Creates a class shutter, which will be used inside the context that executes the script. + * This class shutter will be used to control the visibility of classes specified in the access control config, + * to the script. + * @return + */ + private ClassShutter createClassShutter() { + return new ClassShutter() { + public boolean visibleToScripts(String className) { + /* + This will be used to compare whether the current fully qualified class name starts with + any of the provided set of strings provided in the access control config. + */ + Comparator startsWithComparator = new Comparator() { + @Override + public int compare(String o1, String o2) { + if (o1 == null || o2 == null) { + return -1; + } + if (o1.startsWith(o2)) { + return 1; + } + return -1; + } + }; + return AccessControlUtils.isAccessAllowed(className, classAccessControlConfig, startsWithComparator); + } + }; + } + + /** + * Reads and sets access control configurations. + * @param properties Synapse properties. + */ + private void readAccessControlConfigurations(Properties properties) { + String limitClassAccessEnabled = properties.getProperty(LIMIT_CLASS_ACCESS_PREFIX + ENABLE); + if (Boolean.parseBoolean(limitClassAccessEnabled)) { + String limitClassAccessListType = properties.getProperty(LIMIT_CLASS_ACCESS_PREFIX + LIST_TYPE); + String limitClassAccessClassPrefixes = properties.getProperty(LIMIT_CLASS_ACCESS_PREFIX + CLASS_PREFIXES); + this.classAccessControlConfig = new AccessControlConfig(true, + AccessControlListType.valueOf(limitClassAccessListType), + Arrays.asList(limitClassAccessClassPrefixes.split(","))); + } + + String limitNativeObjectAccessEnabled = properties.getProperty(LIMIT_NATIVE_OBJECT_ACCESS_PREFIX + ENABLE); + if (Boolean.parseBoolean(limitNativeObjectAccessEnabled)) { + String limitNativeObjectAccessListType = + properties.getProperty(LIMIT_NATIVE_OBJECT_ACCESS_PREFIX + LIST_TYPE); + String limitNativeObjectAccessClassPrefixes = + properties.getProperty(LIMIT_NATIVE_OBJECT_ACCESS_PREFIX + OBJECT_NAMES); + this.nativeObjectAccessControlConfig = new AccessControlConfig(true, + AccessControlListType.valueOf(limitNativeObjectAccessListType), + Arrays.asList(limitNativeObjectAccessClassPrefixes.split(","))); + } + } + } diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlConstants.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlConstants.java new file mode 100644 index 0000000000..e0a182ad1c --- /dev/null +++ b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlConstants.java @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.synapse.mediators.bsf.access.control; + +/** + * Constants related to Script Mediator access control. + */ +public class AccessControlConstants { + public static String LIMIT_CLASS_ACCESS_PREFIX = "limit_java_class_access_in_scripts."; + public static String LIMIT_NATIVE_OBJECT_ACCESS_PREFIX = "limit_java_native_object_access_in_scripts."; + public static String ENABLE = "enable"; + public static String LIST_TYPE = "list_type"; + public static String CLASS_PREFIXES = "class_prefixes"; + public static String OBJECT_NAMES = "object_names"; +} diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlUtils.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlUtils.java new file mode 100644 index 0000000000..cb2bde75e1 --- /dev/null +++ b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/AccessControlUtils.java @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.synapse.mediators.bsf.access.control; + +import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; +import org.apache.synapse.mediators.bsf.access.control.config.AccessControlListType; + +import java.util.Comparator; +import java.util.List; + +/** + * Utility methods related to Script Mediator access control. + */ +public class AccessControlUtils { + + /** + * Returns whether the provided string which represents a Java class or native object is accessible or not. + * The allowing/blocking will be determined by the provided AccessControlConfig, based on the matching/comparing + * done as specified in the comparator. + * @param string Java class name or native object name. + * @param accessControlConfig Access control config of the Script Mediator. + * @param comparator The comparator based on which, the provided Java class/native object name is + * matched against the provided access control config. + * @return Whether the access is allowed or not. + */ + public static boolean isAccessAllowed(String string, AccessControlConfig accessControlConfig, + Comparator comparator) { + if (accessControlConfig == null || !accessControlConfig.isAccessControlEnabled()) { + return true; // Access control is not applicable + } + + List accessControlList = accessControlConfig.getAccessControlList(); + boolean doesMatchExist = false; + for (String item : accessControlList) { + if (comparator.compare(string, item) > -1) { + doesMatchExist = true; + break; + } + } + + if (accessControlConfig.getAccessControlListType() == AccessControlListType.BLOCK_LIST) { + return !doesMatchExist; + } + if (accessControlConfig.getAccessControlListType() == AccessControlListType.ALLOW_LIST) { + return doesMatchExist; + } + return true; // Ideally we won't reach here + } +} + diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxContextFactory.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxContextFactory.java new file mode 100644 index 0000000000..c773940daa --- /dev/null +++ b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxContextFactory.java @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.synapse.mediators.bsf.access.control; + +import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; +import org.mozilla.javascript.Context; +import org.mozilla.javascript.ContextFactory; + +/** + * Represents the sandbox context factory - which is used with access control of the Script Mediator. + */ +public class SandboxContextFactory extends ContextFactory { + private AccessControlConfig nativeObjectAccessControlConfig; + + public SandboxContextFactory(AccessControlConfig nativeObjectAccessControlConfig) { + this.nativeObjectAccessControlConfig = nativeObjectAccessControlConfig; + } + + @Override + protected Context makeContext() { + Context cx = super.makeContext(); + cx.setWrapFactory(new SandboxWrapFactory(nativeObjectAccessControlConfig)); + return cx; + } +} + diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxNativeJavaObject.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxNativeJavaObject.java new file mode 100644 index 0000000000..8c73c819a8 --- /dev/null +++ b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxNativeJavaObject.java @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.synapse.mediators.bsf.access.control; + +import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; +import org.mozilla.javascript.NativeJavaObject; +import org.mozilla.javascript.Scriptable; + +import java.util.Comparator; + +/** + * Provides native Java objects to the sandbox, after necessary access control filtering. + */ +public class SandboxNativeJavaObject extends NativeJavaObject { + private AccessControlConfig nativeObjectAccessControlConfig; + + public SandboxNativeJavaObject(Scriptable scope, Object javaObject, Class staticType, + AccessControlConfig nativeObjectAccessControlConfig) { + super(scope, javaObject, staticType); + this.nativeObjectAccessControlConfig = nativeObjectAccessControlConfig; + } + + @Override + public Object get(String name, Scriptable start) { + Comparator equalsComparator = new Comparator() { + @Override + public int compare(String o1, String o2) { + if (o1 != null && o1.equals(o2)) { + return 0; + } + return -1; + } + }; + if (AccessControlUtils.isAccessAllowed(name, nativeObjectAccessControlConfig, equalsComparator)) { + return super.get(name, start); + } + return NOT_FOUND; + } + +} + diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxWrapFactory.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxWrapFactory.java new file mode 100644 index 0000000000..4c63fef31b --- /dev/null +++ b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/SandboxWrapFactory.java @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.synapse.mediators.bsf.access.control; + +import org.apache.synapse.mediators.bsf.access.control.config.AccessControlConfig; +import org.mozilla.javascript.Context; +import org.mozilla.javascript.Scriptable; +import org.mozilla.javascript.WrapFactory; + +/** + * Wraps sandbox native Java objects that are used in Script Mediator access control. + */ +public class SandboxWrapFactory extends WrapFactory { + private AccessControlConfig nativeObjectAccessControlConfig; + + public SandboxWrapFactory(AccessControlConfig nativeObjectAccessControlConfig) { + this.nativeObjectAccessControlConfig = nativeObjectAccessControlConfig; + } + + @Override + public Scriptable wrapAsJavaObject(Context cx, Scriptable scope, Object javaObject, Class staticType) { + return new SandboxNativeJavaObject(scope, javaObject, staticType, nativeObjectAccessControlConfig); + } +} + + diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/config/AccessControlConfig.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/config/AccessControlConfig.java new file mode 100644 index 0000000000..977af6b25c --- /dev/null +++ b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/config/AccessControlConfig.java @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.synapse.mediators.bsf.access.control.config; + +import java.util.List; + +/** + * Holds the configurations that are used for access control in the Script Mediator. + */ +public class AccessControlConfig { + + private boolean isAccessControlEnabled; + private AccessControlListType accessControlListType; + private List accessControlList; + + public AccessControlConfig(boolean isAccessControlEnabled, AccessControlListType accessControlListType, + List accessControlList) { + this.isAccessControlEnabled = isAccessControlEnabled; + this.accessControlListType = accessControlListType; + this.accessControlList = accessControlList; + } + + public boolean isAccessControlEnabled() { + return isAccessControlEnabled; + } + + public AccessControlListType getAccessControlListType() { + return accessControlListType; + } + + public List getAccessControlList() { + return accessControlList; + } +} + diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/config/AccessControlListType.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/config/AccessControlListType.java new file mode 100644 index 0000000000..a7cae8db0d --- /dev/null +++ b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/access/control/config/AccessControlListType.java @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.synapse.mediators.bsf.access.control.config; + +/** + + * Represents the type of access control list for the Script Mediator. + + */ + +public enum AccessControlListType { + ALLOW_LIST, + BLOCK_LIST + +} + From 13fbf535fcbf3eff4b8e7ac275b48235e7a6c3a2 Mon Sep 17 00:00:00 2001 From: Avishka-Shamendra Date: Fri, 26 Jan 2024 11:57:43 +0530 Subject: [PATCH 2/3] Add java access control config tests --- .../javascript/JavaScriptMediatorTest.java | 42 +++++++++++++++++++ .../src/test/resources/synapse.properties | 23 ++++++++++ 2 files changed, 65 insertions(+) create mode 100644 modules/extensions/src/test/resources/synapse.properties diff --git a/modules/extensions/src/test/java/org/apache/synapse/mediators/bsf/javascript/JavaScriptMediatorTest.java b/modules/extensions/src/test/java/org/apache/synapse/mediators/bsf/javascript/JavaScriptMediatorTest.java index d72a9c6dac..90962bb5af 100644 --- a/modules/extensions/src/test/java/org/apache/synapse/mediators/bsf/javascript/JavaScriptMediatorTest.java +++ b/modules/extensions/src/test/java/org/apache/synapse/mediators/bsf/javascript/JavaScriptMediatorTest.java @@ -21,6 +21,7 @@ import junit.framework.TestCase; import org.apache.synapse.MessageContext; +import org.apache.synapse.SynapseException; import org.apache.synapse.mediators.TestUtils; import org.apache.synapse.mediators.bsf.ScriptMediator; @@ -63,4 +64,45 @@ public void testInlineMediatorWithImports() throws Exception { boolean response = mediator.mediate(mc); assertTrue(response); } + + /** + * Test controlling access to java classes through JS + * @throws Exception + */ + public void testJavaClassAccessControl() throws Exception { + String scriptSourceCode = "var s = new java.util.ArrayList();\n"; + + + MessageContext mc = TestUtils.getTestContext("", null); + ScriptMediator mediator = new ScriptMediator("js", scriptSourceCode, null); + + System.setProperty("properties.file.path", System.getProperty("user.dir") + "/src/test/resources/file.properties"); + + try { + mediator.mediate(mc); + fail("Failed to enforce Java class access control configuration during mediation"); + } catch(SynapseException e) {} + + } + + /** + * Test controlling access to java methods through JS + * @throws Exception + */ + public void testJavaMethodAccessControl() throws Exception { + String scriptSourceCode = "var c = this.context.getClass();\n" + + "var hashmapConstructors = c.getClassLoader().loadClass(\"java.util.HashMap\").getDeclaredConstructors();\n"; + + + MessageContext mc = TestUtils.getTestContext("", null); + ScriptMediator mediator = new ScriptMediator("js", scriptSourceCode, null); + + System.setProperty("properties.file.path", System.getProperty("user.dir") + "/src/test/resources/file.properties"); + + try { + mediator.mediate(mc); + fail("Failed to enforce Java method access control configuration during mediation"); + } catch(SynapseException e) {} + + } } diff --git a/modules/extensions/src/test/resources/synapse.properties b/modules/extensions/src/test/resources/synapse.properties new file mode 100644 index 0000000000..66b38a2e5d --- /dev/null +++ b/modules/extensions/src/test/resources/synapse.properties @@ -0,0 +1,23 @@ +# +# Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +limit_java_class_access_in_scripts.enable=true +limit_java_class_access_in_scripts.list_type = BLOCK_LIST +limit_java_class_access_in_scripts.class_prefixes = java.util.ArrayList +limit_java_native_object_access_in_scripts.enable = true +limit_java_native_object_access_in_scripts.list_type = BLOCK_LIST +limit_java_native_object_access_in_scripts.object_names = getClassLoader,loadClass From f7bd88ef43b6300453b9e30985bb195e3923213d Mon Sep 17 00:00:00 2001 From: Avishka-Shamendra Date: Fri, 26 Jan 2024 13:03:14 +0530 Subject: [PATCH 3/3] Fix testJavaClassAccessControl and testJavaMethodAccessControl test cases --- .../javascript/JavaScriptMediatorTest.java | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/modules/extensions/src/test/java/org/apache/synapse/mediators/bsf/javascript/JavaScriptMediatorTest.java b/modules/extensions/src/test/java/org/apache/synapse/mediators/bsf/javascript/JavaScriptMediatorTest.java index 90962bb5af..e61b299668 100644 --- a/modules/extensions/src/test/java/org/apache/synapse/mediators/bsf/javascript/JavaScriptMediatorTest.java +++ b/modules/extensions/src/test/java/org/apache/synapse/mediators/bsf/javascript/JavaScriptMediatorTest.java @@ -72,16 +72,20 @@ public void testInlineMediatorWithImports() throws Exception { public void testJavaClassAccessControl() throws Exception { String scriptSourceCode = "var s = new java.util.ArrayList();\n"; - MessageContext mc = TestUtils.getTestContext("", null); ScriptMediator mediator = new ScriptMediator("js", scriptSourceCode, null); System.setProperty("properties.file.path", System.getProperty("user.dir") + "/src/test/resources/file.properties"); + boolean synapseExceptionThrown = false; try { mediator.mediate(mc); - fail("Failed to enforce Java class access control configuration during mediation"); - } catch(SynapseException e) {} + } catch(SynapseException e) { + synapseExceptionThrown = true; + } + + assertTrue("As Java class access control is configured " + + "SynapseException should be thrown during mediation", synapseExceptionThrown); } @@ -93,16 +97,20 @@ public void testJavaMethodAccessControl() throws Exception { String scriptSourceCode = "var c = this.context.getClass();\n" + "var hashmapConstructors = c.getClassLoader().loadClass(\"java.util.HashMap\").getDeclaredConstructors();\n"; - MessageContext mc = TestUtils.getTestContext("", null); ScriptMediator mediator = new ScriptMediator("js", scriptSourceCode, null); System.setProperty("properties.file.path", System.getProperty("user.dir") + "/src/test/resources/file.properties"); + boolean synapseExceptionThrown = false; try { mediator.mediate(mc); - fail("Failed to enforce Java method access control configuration during mediation"); - } catch(SynapseException e) {} + } catch(SynapseException e) { + synapseExceptionThrown = true; + } + + assertTrue("As Java method access control is configured " + + "SynapseException should be thrown during mediation", synapseExceptionThrown); } }