[GitHub] JaroslavTulach commented on a change in pull request #1092: Using Scripting API in platform/core.network

[GitBox]

JaroslavTulach commented on a change in pull request #1092: Using Scripting API 
in platform/core.network
URL: 
https://github.com/apache/incubator-netbeans/pull/1092#discussion_r250107260
 
 

 ##########
 File path: 
platform/core.network/src/org/netbeans/core/network/proxy/pac/impl/NbPacScriptEvaluator.java
 ##########
 @@ -336,37 +330,59 @@ private PacScriptEngine getScriptEngine(String 
pacSource) throws PacParsingExcep
 
             // Do some minimal testing of the validity of the PAC Script.
             final PacJsEntryFunction jsMainFunction;
-            if (nashornJava8u40Available) {
-                jsMainFunction = testScriptEngine(engine, true);
-            } else {
-                jsMainFunction = testScriptEngine(engine, false);
-            }
+            jsMainFunction = testScriptEngine(engine, false);
             
             return new PacScriptEngine(engine, jsMainFunction);
         } catch (ScriptException ex) {
             throw new  PacParsingException(ex);
         }
     }
     
-    private boolean getNashornJava8u40Available() {
+    private boolean isNashornFactory(ScriptEngineFactory f) {
         try {
             Class<?> klass = 
Class.forName("jdk.nashorn.api.scripting.NashornScriptEngineFactory");
+            return klass.isInstance(f);
         } catch (ClassNotFoundException ex) {
             return false;
         }
-        return true;
     }
-    
-    private ScriptEngine getNashornJSScriptEngine() {
-        NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
-        return factory.getScriptEngine(new ClassFilterPacHelpers());
+
+    private ScriptEngine secureEngineEngine(ScriptEngine e) {
+        try {
+            ScriptEngineFactory f = e.getFactory();
+            final Class<? extends ScriptEngineFactory> factoryClass = 
f.getClass();
+            final ClassLoader factoryClassLoader = 
factoryClass.getClassLoader();
+            Class<?> filterClass = 
Class.forName("jdk.nashorn.api.scripting.ClassFilter", true, 
factoryClassLoader);
+            Method createMethod = factoryClass.getMethod("getScriptEngine", 
filterClass);
+            Object filter = 
java.lang.reflect.Proxy.newProxyInstance(factoryClassLoader, new Class[] { 
filterClass }, (Object proxy, Method method, Object[] args) -> {
+                return false;
+            });
+            return (ScriptEngine) createMethod.invoke(f, filter);
 
 Review comment:
   Right, I'll prepare some unit tests to make sure the engines are safe to all 
known sandbox escape strategies.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@netbeans.apache.org
For additional commands, e-mail: notifications-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists