[GitHub] [commons-scxml] garydgregory commented on a diff in pull request #154: [feature] set up allowed class-permissions to JEXL constructor

via GitHub Thu, 28 Sep 2023 04:53:24 -0700


garydgregory commented on code in PR #154:
URL: https://github.com/apache/commons-scxml/pull/154#discussion_r1339999687



##########
src/main/java/org/apache/commons/scxml2/env/jexl/JexlEvaluator.java:
##########
@@ -185,7 +195,13 @@ protected JexlEngine createJexlEngine() {
         // See javadoc of 
org.apache.commons.jexl2.JexlEngine#setFunctions(Map<String,Object> funcs) for 
detail.
         final Map<String, Object> funcs = new HashMap<>();
         funcs.put(null, JexlBuiltin.class);
+
         JexlPermissions permissions = 
JexlPermissions.RESTRICTED.compose("org.apache.commons.scxml2.*");
+
+        if(customAllowedClasses != null && customAllowedClasses.length > 0) {

Review Comment:
   Fix formatting. 



##########
src/main/java/org/apache/commons/scxml2/env/jexl/JexlEvaluator.java:
##########
@@ -74,11 +74,21 @@ public Evaluator getEvaluator(final SCXML document) {
     /** The internal JexlEngine instance to use. */
     private transient volatile JexlEngine jexlEngine;
 
+    /** Optional: saves user defined packages, which JEXL should allow for 
evaluation */
+    private String[] customAllowedClasses;
+
     /** Constructor. */
     public JexlEvaluator() {
         jexlEngine = getJexlEngine();
     }
 
+    /** Constructor with further allowed classes or packages. Use an asterix 
for all classes in a package */
+    public JexlEvaluator(String... customAllowedClasses) {

Review Comment:
   I think we should use the builder pattern instead of adding public 
constructors.



##########
src/test/java/com/custom/Payload.java:
##########
@@ -0,0 +1,20 @@
+package com.custom;

Review Comment:
   Missing Apache License header.



##########
src/main/java/org/apache/commons/scxml2/env/jexl/JexlEvaluator.java:
##########
@@ -185,7 +195,13 @@ protected JexlEngine createJexlEngine() {
         // See javadoc of 
org.apache.commons.jexl2.JexlEngine#setFunctions(Map<String,Object> funcs) for 
detail.
         final Map<String, Object> funcs = new HashMap<>();
         funcs.put(null, JexlBuiltin.class);
+
         JexlPermissions permissions = 
JexlPermissions.RESTRICTED.compose("org.apache.commons.scxml2.*");
+
+        if(customAllowedClasses != null && customAllowedClasses.length > 0) {

Review Comment:
   Formatting 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [commons-scxml] garydgregory commented on a diff in pull request #154: [feature] set up allowed class-permissions to JEXL constructor

Reply via email to