[GitHub] [jena] afs commented on a diff in pull request #1908: An allow list of function names

Sat, 17 Jun 2023 07:41:56 -0700 


afs commented on code in PR #1908:
URL: https://github.com/apache/jena/pull/1908#discussion_r1233072987


##########
jena-arq/src/main/java/org/apache/jena/sparql/function/scripting/ScriptFunction.java:
##########
@@ -88,28 +94,65 @@ public static boolean isScriptFunction(String uri) {
         return langPart.endsWith(FUNCTION_SUFFIX);
     }
 
+    public ScriptFunction() { }
+
     @Override
     public void checkBuild(String uri, ExprList args) {
+        throw new IllegalStateException("ScriptFunction.checkBuild called");
+    }
+
+    @Override
+    public void build(String uri, ExprList args, Context cxt) {
         checkScriptingEnabled();
         if (!isScriptFunction(uri))
             throw new ExprException("Invalid URI: " + uri);
         String localPart = uri.substring(ARQ_NS.length());
         int separatorPos = localPart.indexOf('#');
         this.lang = localPart.substring(0, separatorPos - 
FUNCTION_SUFFIX.length());
         this.name = localPart.substring(separatorPos + 1);
-
-        // Check for bare names that are provided by the language e.g. 'eval' 
which
-        // is a JS and Python built-in function and always available.
-        if ( lang.toLowerCase(Locale.ROOT).contains("python") ) {
-            if ( Objects.equals("eval", name) || Objects.equals("exec", name) )
-                throw new ExprException(lang+" function '"+name+"' is not 
allowed");
-        } else {
-            // Assume javascript.
-            if ( Objects.equals("eval", name) )
-                throw new ExprException("JS function '"+name+"' is not 
allowed");
+        this.allowList = allowList(cxt, ARQ.symCustomFunctionScriptAllowList);
+
+        String cname = lang.toLowerCase(Locale.ROOT);
+        switch(cname) {
+            case "js":
+                // never allow these.
+                this.denyList = Set.of("eval", "load");
+                check(lang, name, allowList, denyList);
+                break;
+            case "python":
+                // never allow these.
+                this.denyList = Set.of("eval");

Review Comment:
   Added.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to