From bc1f58d483cc8854a9c4c1739abd5e04a2eb0367 Mon Sep 17 00:00:00 2001
From: rbri <rbri@rbri.de>
Date: Mon, 27 Jan 2020 20:30:30 +0100
Subject: [PATCH] Security: prevent Rhinos access to Java resources; e.g. call
 java methods

---
 src/changes/changes.xml                       |  3 ++
 .../javascript/JavaScriptEngine2Test.java     | 50 +++++++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index b798cbf7b6..cad82da81f 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -8,6 +8,9 @@
 
     <body>
         <release version="2.37.0" date="xxxx, 2020" description="Bugfixes, CHROME 79, FF52 removed, FF68 added">
+            <action type="fix" dev="rbri">
+                Security: prevent Rhinos access to Java resources; e.g. call java methods.
+            </action>
             <action type="update" dev="rbri">
                 Upgrade Apache HttpComponents to 4.5.11.
             </action>
diff --git a/src/test/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine2Test.java b/src/test/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine2Test.java
index 877c42edc3..8e93375fec 100644
--- a/src/test/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine2Test.java
+++ b/src/test/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine2Test.java
@@ -16,6 +16,8 @@
 
 import static org.junit.Assert.fail;
 
+import java.net.URL;
+
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.openqa.selenium.By;
@@ -891,4 +893,52 @@ public void ctorBooleanDocumentAll() throws Exception {
 
         loadPageWithAlerts2(html);
     }
+
+    /**
+     * @throws Exception if the test fails
+     */
+    @Test
+    @Alerts("exception")
+    public void javaNotAccessable() throws Exception {
+        final String html = "<html><head>\n"
+                + "<script>\n"
+                + "function test() {\n"
+                + "  try {\n"
+                + "    alert(java.lang.Math.PI);\n"
+                + "  } catch (e) { alert('exception'); }\n"
+                + "}\n"
+                + "</script>\n"
+                + "</head>\n"
+                + "<body onload='test()'>\n"
+                + "</body></html>";
+
+        loadPageWithAlerts2(html);
+    }
+
+    /**
+     * @throws Exception if the test fails
+     */
+    @Test
+    @Alerts("Received: from worker - exception")
+    public void javaNotAccessableFromWorker() throws Exception {
+        final String html = "<html><body>\n"
+            + "<script async>\n"
+            + "try {\n"
+            + "  var myWorker = new Worker('worker.js');\n"
+            + "  myWorker.onmessage = function(e) {\n"
+            + "    alert('Received: ' + e.data);\n"
+            + "  };\n"
+            + "} catch(e) { alert('exception' + e); }\n"
+            + "</script></body></html>\n";
+
+        final String workerJs = "var pi = 'from worker';\n"
+                + "try {\n"
+                + "  pi = pi + ' - ' + java.lang.Math.PI\n"
+                + "} catch (e) { pi = pi + ' - ' + 'exception'; }\n"
+                + "postMessage(pi);\n";
+
+        getMockWebConnection().setResponse(new URL(URL_FIRST, "worker.js"), workerJs);
+
+        loadPageWithAlerts2(html, 2000);
+    }
 }