8236798: Enhance FX scripting support

Reviewed-by: ghb, rhalade, mschoene
openjdk · Jan 16, 2020 · 14c6938 · 14c6938
1 parent bfb2d0e
commit 14c6938
Showing 1 changed file with 73 additions and 2 deletions.
diff --git a/modules/javafx.web/src/main/java/com/sun/webkit/Utilities.java b/modules/javafx.web/src/main/java/com/sun/webkit/Utilities.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,8 +31,12 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Arrays;
 import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 public abstract class Utilities {
 
@@ -50,11 +54,78 @@ public static synchronized Utilities getUtilities() {
     protected abstract PopupMenu createPopupMenu();
     protected abstract ContextMenu createContextMenu();
 
+    private static final Set<String> asSet(String... items) {
+        return new HashSet(Arrays.asList(items));
+    }
+
+    // Whitelist of Class methods to allow
+    private static final Set<String> classMethodsWhitelist = asSet(
+        "getCanonicalName",
+        "getEnumConstants",
+        "getFields",
+        "getMethods",
+        "getName",
+        "getPackageName",
+        "getSimpleName",
+        "getSuperclass",
+        "getTypeName",
+        "getTypeParameters",
+        "isAssignableFrom",
+        "isArray",
+        "isEnum",
+        "isInstance",
+        "isInterface",
+        "isLocalClass",
+        "isMemberClass",
+        "isPrimitive",
+        "isSynthetic",
+        "toGenericString",
+        "toString"
+    );
+
+    // Blacklist of classes to disallow
+    private static final Set<String> classesBlacklist = asSet(
+        "java.lang.ClassLoader",
+        "java.lang.Module",
+        "java.lang.Runtime",
+        "java.lang.System"
+    );
+
+    // Blacklist of packages to disallow
+    private static final List<String> packagesBlacklist = Arrays.asList(
+        "java.lang.invoke",
+        "java.lang.module",
+        "java.lang.reflect",
+        "java.security",
+        "sun.misc"
+    );
+
     private static Object fwkInvokeWithContext(final Method method,
                                                final Object instance,
                                                final Object[] args,
                                                AccessControlContext acc)
-    throws Throwable {
+            throws Throwable {
+
+        final Class<?> clazz = method.getDeclaringClass();
+        if (clazz.equals(java.lang.Class.class)) {
+            // check whitelist of allowable Class methods
+            if (!classMethodsWhitelist.contains(method.getName())) {
+                throw new UnsupportedOperationException("invocation not supported");
+            }
+        } else {
+            // check blacklist of class names
+            final String className = clazz.getName();
+            if (classesBlacklist.contains(className)) {
+                throw new UnsupportedOperationException("invocation not supported");
+            }
+            // check blacklist of packages
+            packagesBlacklist.forEach(packageName -> {
+                if (className.startsWith(packageName + ".")) {
+                    throw new UnsupportedOperationException("invocation not supported");
+                }
+            });
+        }
+
         try {
             return AccessController.doPrivileged((PrivilegedExceptionAction<Object>)
                     () -> MethodHelper.invoke(method, instance, args), acc);