RANGER-3959: restrict scripts from accessing some built-in methods - #2

Signed-off-by: Abhay Kulkarni <abhay@apache.org> (cherry picked from commit 161d924)
apache · Nov 12, 2022 · d7ebfda · d7ebfda
1 parent 731be83
commit d7ebfda
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/...mon/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java b/...mon/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
@@ -66,6 +66,7 @@ public final class RangerRequestScriptEvaluator {
 	private static final String DEFAULT_RANGER_TAG_ATTRIBUTE_DATE_FORMAT    = "yyyy/MM/dd";
 	private static final String DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT_NAME = "ATLAS_DATE_FORMAT";
 	private static final String DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT     = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
+	private static final String SCRIPT_SAFE_PREEXEC                         = "exit=null;quit=null;";
 	private static final String SCRIPT_PREEXEC                              = SCRIPT_VAR__CTX + "=JSON.parse(" + SCRIPT_VAR__CTX_JSON + "); J=JSON.stringify;" +
                                                                                  SCRIPT_VAR_REQ + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_REQUEST + ";" +
                                                                                  SCRIPT_VAR_RES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_RESOURCE + ";" +
@@ -225,6 +226,8 @@ private Object evaluateScript(ScriptEngine scriptEngine, String script, boolean
 		bindings.put(SCRIPT_VAR_tag, currentTag);
 		bindings.put(SCRIPT_VAR_tagAttr, tagAttribs);
 
+		script = SCRIPT_SAFE_PREEXEC + script;
+
 		if (enableJsonCtx) {
 			bindings.put(SCRIPT_VAR__CTX_JSON, this.toJson());
 

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
@@ -32,7 +32,7 @@
 public class ScriptEngineUtil {
     private static final Logger LOG = LoggerFactory.getLogger(RangerScriptConditionEvaluator.class);
 
-    private static final String[] SCRIPT_ENGINE_ARGS = new String[0];
+    private static final String[] SCRIPT_ENGINE_ARGS = new String[] { "--no-java", "--no-syntax-extensions" };
 
     // for backward compatibility with any plugin that might use this API
     public static ScriptEngine createScriptEngine(String engineName, String serviceType) {
@@ -86,11 +86,11 @@ private static ScriptEngine getScriptEngine(ClassLoader clsLoader) {
         try {
             final NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
 
-            if (clsLoader != null) {
-                ret = factory.getScriptEngine(SCRIPT_ENGINE_ARGS, clsLoader, RangerClassFilter.INSTANCE);
-            } else {
-                ret = factory.getScriptEngine(RangerClassFilter.INSTANCE);
+            if (clsLoader == null) {
+                clsLoader = Thread.currentThread().getContextClassLoader();
             }
+
+            ret = factory.getScriptEngine(SCRIPT_ENGINE_ARGS, clsLoader, RangerClassFilter.INSTANCE);
         } catch (Throwable t) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("ScriptEngineUtil.getScriptEngine(clsLoader={}): failed", clsLoader, t);