feat: secure class accessor for graalvm

README.md

@@ -17,7 +17,7 @@ For adding a library only:
 <dependency>
     <groupId>com.instancify.scriptify</groupId>
     <artifactId>core</artifactId>
-    <version>1.3.1-SNAPSHOT</version>
+    <version>1.3.3-SNAPSHOT</version>
 </dependency>
 ```
 
@@ -26,12 +26,12 @@ For adding a library with JS for Rhino or GraalVM:
 <dependency>
     <groupId>com.instancify.scriptify</groupId>
     <artifactId>script-js-rhino</artifactId>
-    <version>1.3.1-SNAPSHOT</version>
+    <version>1.3.3-SNAPSHOT</version>
 </dependency>
 <dependency>
     <groupId>com.instancify.scriptify</groupId>
     <artifactId>script-js-graalvm</artifactId>
-    <version>1.3.1-SNAPSHOT</version>
+    <version>1.3.3-SNAPSHOT</version>
 </dependency>
 ```
 ## Gradle
@@ -45,11 +45,11 @@ maven {
 
 For adding a library only:
 ```groovy
-implementation "com.instancify.scriptify:core:1.3.1-SNAPSHOT"
+implementation "com.instancify.scriptify:core:1.3.3-SNAPSHOT"
 ```
 
 For adding a library with JS for Rhino or GraalVM:
 ```groovy
-implementation "com.instancify.scriptify:script-js-rhino:1.3.1-SNAPSHOT"
-implementation "com.instancify.scriptify:script-js-graalvm:1.3.1-SNAPSHOT"
+implementation "com.instancify.scriptify:script-js-rhino:1.3.3-SNAPSHOT"
+implementation "com.instancify.scriptify:script-js-graalvm:1.3.3-SNAPSHOT"
 ```

build.gradle.kts

@@ -12,7 +12,7 @@ java {
 
 allprojects {
     group = "com.instancify.scriptify"
-    version = "1.3.2-SNAPSHOT"
+    version = "1.3.3-SNAPSHOT"
 }
 
 subprojects {

script-js-graalvm/src/main/java/com/instancify/scriptify/script/JsScript.java

@@ -7,12 +7,13 @@
 import com.instancify.scriptify.api.script.function.ScriptFunction;
 import com.instancify.scriptify.api.script.function.ScriptFunctionManager;
 import com.instancify.scriptify.api.script.security.ScriptSecurityManager;
+import com.instancify.scriptify.api.script.security.exclude.ClassSecurityExclude;
+import com.instancify.scriptify.api.script.security.exclude.SecurityExclude;
 import com.instancify.scriptify.core.script.security.StandardSecurityManager;
 import org.graalvm.polyglot.*;
 
 public class JsScript implements Script<Value> {
 
-    private final Context context = Context.create();
     private final ScriptSecurityManager securityManager = new StandardSecurityManager();
     private ScriptFunctionManager functionManager;
     private ScriptConstantManager constantManager;
@@ -44,6 +45,25 @@ public void setConstantManager(ScriptConstantManager constantManager) {
 
     @Override
     public Value eval(String script) throws ScriptException {
+        Context.Builder builder = Context.newBuilder("js")
+                .allowHostAccess(HostAccess.ALL);
+
+        // If security mode is enabled, search all exclusions
+        // and add the classes that were excluded to JsSecurityClassAccessor
+        if (securityManager.getSecurityMode()) {
+            JsSecurityClassAccessor classAccessor = new JsSecurityClassAccessor();
+            for (SecurityExclude exclude : securityManager.getExcludes()) {
+                if (exclude instanceof ClassSecurityExclude classExclude) {
+                    classAccessor.addAllowedClass(classExclude.getValue());
+                }
+            }
+            builder.allowHostClassLookup(classAccessor);
+        } else {
+            builder.allowHostClassLookup(className -> true);
+        }
+
+        Context context = builder.build();
+
         Value bindings = context.getBindings("js");
 
         if (functionManager != null) {
@@ -62,6 +82,8 @@ public Value eval(String script) throws ScriptException {
             return context.eval("js", script);
         } catch (Exception e) {
             throw new ScriptException(e);
+        } finally {
+            context.close();
         }
     }
 }

script-js-graalvm/src/main/java/com/instancify/scriptify/script/JsSecurityClassAccessor.java

@@ -0,0 +1,32 @@
+package com.instancify.scriptify.script;
+
+import com.instancify.scriptify.api.script.security.SecurityClassAccessor;
+import org.graalvm.polyglot.PolyglotException;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.function.Predicate;
+
+public class JsSecurityClassAccessor implements Predicate<String>, SecurityClassAccessor {
+
+    private final Set<String> allowedClasses = new HashSet<>();
+
+    public JsSecurityClassAccessor() {
+        this.allowedClasses.add(PolyglotException.class.getName());
+    }
+
+    @Override
+    public Set<String> getAllowedClasses() {
+        return allowedClasses;
+    }
+
+    @Override
+    public void addAllowedClass(String allowedClass) {
+        this.allowedClasses.add(allowedClass);
+    }
+
+    @Override
+    public boolean test(String className) {
+        return this.allowedClasses.contains(className);
+    }
+}

script-js-rhino/src/main/java/com/instancify/scriptify/script/JsScript.java

@@ -50,7 +50,7 @@ public Object eval(String script) throws ScriptException {
         ScriptableObject scope = context.initStandardObjects();
 
         // If security mode is enabled, search all exclusions
-        // and add the classes that were excluded to JsSafeClassShutter
+        // and add the classes that were excluded to JsSecurityClassAccessor
         if (securityManager.getSecurityMode()) {
             JsSecurityClassAccessor classAccessor = new JsSecurityClassAccessor();
             for (SecurityExclude exclude : securityManager.getExcludes()) {