Using Graal.js 19.0.0 via Scripting in platform/core.network

platform/core.network/src/org/netbeans/core/network/proxy/pac/impl/NbPacScriptEvaluator.java

@@ -18,6 +18,8 @@
  */
 package org.netbeans.core.network.proxy.pac.impl;
 
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.net.InetSocketAddress;
 import java.net.Proxy;
 import java.net.URI;
@@ -304,7 +306,41 @@ private PacScriptEngine getScriptEngine(String pacSource) throws PacParsingExcep
         }
     }
 
+    private boolean isNashornFactory(ScriptEngineFactory f) {
+        try {
+            Class<?> klass = Class.forName("jdk.nashorn.api.scripting.NashornScriptEngineFactory");
+            return klass.isInstance(f);
+        } catch (ClassNotFoundException ex) {
+            return false;
+        }
+    }
+
+    private ScriptEngine secureEngineEngine(ScriptEngine e) {
+        try {
+            ScriptEngineFactory f = e.getFactory();
+            final Class<? extends ScriptEngineFactory> factoryClass = f.getClass();
+            final ClassLoader factoryClassLoader = factoryClass.getClassLoader();
+            Class<?> filterClass = Class.forName("jdk.nashorn.api.scripting.ClassFilter", true, factoryClassLoader);
+            Method createMethod = factoryClass.getMethod("getScriptEngine", filterClass);
+            Object filter = java.lang.reflect.Proxy.newProxyInstance(factoryClassLoader, new Class[] { filterClass }, (Object proxy, Method method, Object[] args) -> {
+                return false;
+            });
+            return (ScriptEngine) createMethod.invoke(f, filter);
+        } catch (NoSuchMethodException | ClassNotFoundException | IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
+            Exceptions.printStackTrace(ex);
+            return e;
+        }
+    }
+
     private ScriptEngine getGenericJSScriptEngine() {
+        ScriptEngine eng = newGenericJSScriptEngine();
+        if (isNashornFactory(eng.getFactory())) {
+            return secureEngineEngine(eng);
+        }
+        return eng;
+    }
+
+    private ScriptEngine newGenericJSScriptEngine() {
         ScriptEngineManager manager = Scripting.createManager();
         ScriptEngine mimeBased = manager.getEngineByMimeType("text/javascript");
         if (mimeBased != null) {

platform/core.network/test/unit/data/pacFiles2/pac-test-getclass.js

@@ -0,0 +1,33 @@
+/* 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+
+
+// 
+// A PAC script which tries to break out of the sandbox and attempts
+// to do something really nasty.
+//
+
+function FindProxyForURL(url, host)
+{
+    alert("pac-test-getclass.js");
+
+    var clazz = "".getClass();
+    if (!clazz) {
+        return "DIRECT";
+    } else {
+        return "PROXY " + clazz.toString().substring(6) + ":80";
+    }
+}

platform/core.network/test/unit/src/org/netbeans/core/network/proxy/pac/PacEngineTest.java

@@ -71,6 +71,7 @@ public void testEngine() throws PacParsingException, IOException, URISyntaxExcep
         testPacFile("pac-test2.js", factory, 3, true);
         testPacFile("pac-test3.js", factory, 1, false);
         testPacFileMalicious("pac-test-sandbox-breakout.js", factory);
+        testPacFileMalicious("pac-test-getclass.js", factory);
 
         testPacFile2("pac-test4.js", factory);
     }