This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch RANGER-4076_master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 47136a5a65ea7ccca07c3fb766a34ef8fe027479 Author: Kishor Gollapalliwar <[email protected]> AuthorDate: Mon Dec 8 14:55:56 2025 +0530 RANGER-4076: Remove Nashorn Script Engine --- .../plugin/util/NashornScriptEngineCreator.java | 67 ---------------------- .../ranger/plugin/util/ScriptEngineUtil.java | 7 +-- .../authorizer/RecordFilterJavaScript.java | 34 ++++++++--- 3 files changed, 27 insertions(+), 81 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/NashornScriptEngineCreator.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/NashornScriptEngineCreator.java deleted file mode 100644 index b890fe85d..000000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/NashornScriptEngineCreator.java +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.util; - -import jdk.nashorn.api.scripting.ClassFilter; -import jdk.nashorn.api.scripting.NashornScriptEngineFactory; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.script.ScriptEngine; - -public class NashornScriptEngineCreator implements ScriptEngineCreator { - private static final Logger LOG = LoggerFactory.getLogger(NashornScriptEngineCreator.class); - - private static final String[] SCRIPT_ENGINE_ARGS = new String[] {"--no-java", "--no-syntax-extensions"}; - private static final String ENGINE_NAME = "NashornScriptEngine"; - - @Override - public ScriptEngine getScriptEngine(ClassLoader clsLoader) { - ScriptEngine ret = null; - - if (clsLoader == null) { - clsLoader = getDefaultClassLoader(); - } - - try { - NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); - - ret = factory.getScriptEngine(SCRIPT_ENGINE_ARGS, clsLoader, RangerClassFilter.INSTANCE); - } catch (Throwable t) { - LOG.debug("NashornScriptEngineCreator.getScriptEngine(): failed to create engine type {}", ENGINE_NAME, t); - } - - return ret; - } - - private static class RangerClassFilter implements ClassFilter { - static final RangerClassFilter INSTANCE = new RangerClassFilter(); - - private RangerClassFilter() { - } - - @Override - public boolean exposeToScripts(String className) { - LOG.warn("script blocked: attempt to use Java class {}", className); - - return false; - } - } -} diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java index 804b7ed10..424389257 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java @@ -28,10 +28,9 @@ public class ScriptEngineUtil { private static final Logger LOG = LoggerFactory.getLogger(ScriptEngineUtil.class); - private static final String SCRIPT_ENGINE_CREATOR_NASHHORN = "org.apache.ranger.plugin.util.NashornScriptEngineCreator"; private static final String SCRIPT_ENGINE_CREATOR_GRAAL = "org.apache.ranger.plugin.util.GraalScriptEngineCreator"; private static final String SCRIPT_ENGINE_CREATOR_JS = "org.apache.ranger.plugin.util.JavaScriptEngineCreator"; - private static final String[] SCRIPT_ENGINE_CREATORS = new String[] {SCRIPT_ENGINE_CREATOR_NASHHORN, SCRIPT_ENGINE_CREATOR_GRAAL, SCRIPT_ENGINE_CREATOR_JS}; + private static final String[] SCRIPT_ENGINE_CREATORS = new String[] {SCRIPT_ENGINE_CREATOR_GRAAL, SCRIPT_ENGINE_CREATOR_JS}; private static final int JVM_MAJOR_CLASS_VERSION_JDK8 = 52; private static final int JVM_MAJOR_CLASS_VERSION_JDK15 = 59; private static final int JVM_MAJOR_CLASS_VERSION = getJVMMajorClassVersion(); @@ -108,9 +107,7 @@ private static void initScriptEngineCreator(String serviceType) { } catch (Throwable t) { boolean logWarn; - if (creatorClsName.equals(SCRIPT_ENGINE_CREATOR_NASHHORN)) { // not available JDK15 onwards - logWarn = JVM_MAJOR_CLASS_VERSION < JVM_MAJOR_CLASS_VERSION_JDK15; - } else if (creatorClsName.equals(SCRIPT_ENGINE_CREATOR_GRAAL)) { // available only after JDK15 onwards + if (creatorClsName.equals(SCRIPT_ENGINE_CREATOR_GRAAL)) { // available only after JDK15 onwards logWarn = JVM_MAJOR_CLASS_VERSION >= JVM_MAJOR_CLASS_VERSION_JDK15; } else { logWarn = true; diff --git a/plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java b/plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java index 771876dab..4ddf4bbb6 100644 --- a/plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java +++ b/plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java @@ -18,13 +18,16 @@ package org.apache.ranger.authorization.nestedstructure.authorizer; -import jdk.nashorn.api.scripting.ClassFilter; -import jdk.nashorn.api.scripting.NashornScriptEngineFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.script.Bindings; +import javax.script.ScriptContext; import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; + +import java.util.HashMap; +import java.util.Map; /** * Executes an injected javascript command to determine if the user has access to the selected record @@ -54,8 +57,25 @@ public static boolean filterRow(String user, String filterExpr, String jsonStrin throw new MaskingException("cannot process filter expression due to security concern \"this.engine\": " + filterExpr); } - NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); - ScriptEngine engine = factory.getScriptEngine(securityFilter); + ClassLoader clsLoader = Thread.currentThread().getContextClassLoader(); + ScriptEngineManager mgr = new ScriptEngineManager(clsLoader); + ScriptEngine engine = mgr.getEngineByName("graal.js"); + + if (engine != null) { + try { + Map<String, Boolean> graalVmConfigs = new HashMap<>(); + + graalVmConfigs.put("polyglot.js.allowHostAccess", Boolean.TRUE); // default is true for backward(Nashorn) compatibility + graalVmConfigs.put("polyglot.js.nashorn-compat", Boolean.TRUE); // default is true for backward(Nashorn) compatibility + + // enable configured script features + Bindings bindings = engine.getBindings(ScriptContext.ENGINE_SCOPE); + bindings.putAll(graalVmConfigs); + engine.setBindings(bindings, ScriptContext.ENGINE_SCOPE); + } catch (Throwable t) { + logger.debug("RecordFilterJavaScript.filterRow(): failed to create engine type {}", "graal.js", t); + } + } logger.debug("filterExpr: {}", filterExpr); @@ -83,12 +103,8 @@ public static boolean filterRow(String user, String filterExpr, String jsonStrin * Helps keep javascript clean of injections. It also contains other checks to ensure that injected * javascript is reasonably safe. */ - static class SecurityFilter implements ClassFilter { - @Override - public boolean exposeToScripts(String s) { - return false; - } + static class SecurityFilter { /** * * @param filterExpr the javascript to check if it contains potentially harmful commands
