lbruun commented on a change in pull request #1092: Using Scripting API in
platform/core.network
URL:
https://github.com/apache/incubator-netbeans/pull/1092#discussion_r249562853
##########
File path:
platform/core.network/src/org/netbeans/core/network/proxy/pac/impl/NbPacScriptEvaluator.java
##########
@@ -336,37 +330,59 @@ private PacScriptEngine getScriptEngine(String
pacSource) throws PacParsingExcep
// Do some minimal testing of the validity of the PAC Script.
final PacJsEntryFunction jsMainFunction;
- if (nashornJava8u40Available) {
- jsMainFunction = testScriptEngine(engine, true);
- } else {
- jsMainFunction = testScriptEngine(engine, false);
- }
+ jsMainFunction = testScriptEngine(engine, false);
return new PacScriptEngine(engine, jsMainFunction);
} catch (ScriptException ex) {
throw new PacParsingException(ex);
}
}
- private boolean getNashornJava8u40Available() {
+ private boolean isNashornFactory(ScriptEngineFactory f) {
try {
Class<?> klass =
Class.forName("jdk.nashorn.api.scripting.NashornScriptEngineFactory");
+ return klass.isInstance(f);
} catch (ClassNotFoundException ex) {
return false;
}
- return true;
}
-
- private ScriptEngine getNashornJSScriptEngine() {
- NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
- return factory.getScriptEngine(new ClassFilterPacHelpers());
+
+ private ScriptEngine secureEngineEngine(ScriptEngine e) {
+ try {
+ ScriptEngineFactory f = e.getFactory();
+ final Class<? extends ScriptEngineFactory> factoryClass =
f.getClass();
+ final ClassLoader factoryClassLoader =
factoryClass.getClassLoader();
+ Class<?> filterClass =
Class.forName("jdk.nashorn.api.scripting.ClassFilter", true,
factoryClassLoader);
Review comment:
Agreed. The only case I can think of is those who produce an application
build upon NB Platform, actively remove Graal.js from their distribution (so
that Nashorn becomes first choice) and then do not bundle a JRE but leave it to
the end user's workstation to supply a JRE. And then user has old JRE on
workstation (Java 8 before u40). Really a corner case, now that I think of it.
Even so, why return a non-sandboxed environment in this case? Why not refuse
to do instantiate any PAC evaluator in this case ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
