GraalVM sandbox implementation

phoenicis-scripts/src/main/java/org/phoenicis/scripts/ScriptsConfiguration.java

@@ -21,6 +21,7 @@
 import org.phoenicis.multithreading.MultithreadingConfiguration;
 import org.phoenicis.repository.RepositoryConfiguration;
 import org.phoenicis.scripts.engine.PhoenicisScriptEngineFactory;
+import org.phoenicis.scripts.engine.implementation.PhoenicisSandbox;
 import org.phoenicis.scripts.interpreter.PhoenicisScriptInterpreter;
 import org.phoenicis.scripts.engine.ScriptEngineType;
 import org.phoenicis.scripts.engine.injectors.*;
@@ -51,18 +52,27 @@ public class ScriptsConfiguration {
  @Autowired
  private MultithreadingConfiguration multithreadingConfiguration;
 
+ @Bean
+ public PhoenicisSandbox phoenicisSandbox() {
+ return new PhoenicisSandbox();
+ }
+
  @Bean
  public PhoenicisScriptEngineFactory graalScriptEngineFactory() {
- return new PhoenicisScriptEngineFactory(ScriptEngineType.GRAAL, Arrays.asList(new ScriptUtilitiesInjector(),
- new BeanInjector(applicationContext), new SetupWizardInjector(wizardConfiguration.setupWizardFactory()),
- new IncludeInjector(scriptFetcher()), new LocalisationInjector()));
+ return new PhoenicisScriptEngineFactory(phoenicisSandbox(), ScriptEngineType.GRAAL,
+ Arrays.asList(new ScriptUtilitiesInjector(),
+ new BeanInjector(applicationContext),
+ new SetupWizardInjector(wizardConfiguration.setupWizardFactory()),
+ new IncludeInjector(scriptFetcher()), new LocalisationInjector()));
  }
 
  @Bean
  public PhoenicisScriptEngineFactory nashornScriptEngineFactory() {
- return new PhoenicisScriptEngineFactory(ScriptEngineType.NASHORN, Arrays.asList(new ScriptUtilitiesInjector(),
- new BeanInjector(applicationContext), new SetupWizardInjector(wizardConfiguration.setupWizardFactory()),
- new IncludeInjector(scriptFetcher()), new LocalisationInjector()));
+ return new PhoenicisScriptEngineFactory(phoenicisSandbox(), ScriptEngineType.NASHORN,
+ Arrays.asList(new ScriptUtilitiesInjector(),
+ new BeanInjector(applicationContext),
+ new SetupWizardInjector(wizardConfiguration.setupWizardFactory()),
+ new IncludeInjector(scriptFetcher()), new LocalisationInjector()));
  }
 
  @Bean

phoenicis-scripts/src/main/java/org/phoenicis/scripts/engine/PhoenicisScriptEngineFactory.java

@@ -18,22 +18,26 @@
 
 package org.phoenicis.scripts.engine;
 
+import org.phoenicis.scripts.engine.implementation.PhoenicisSandbox;
 import org.phoenicis.scripts.engine.injectors.EngineInjector;
 import org.phoenicis.scripts.engine.implementation.PhoenicisScriptEngine;
 
 import java.util.List;
 
 public class PhoenicisScriptEngineFactory {
  private final ScriptEngineType type;
+ private final PhoenicisSandbox phoenicisSandbox;
  private final List<EngineInjector> engineInjectors;
 
- public PhoenicisScriptEngineFactory(ScriptEngineType type, List<EngineInjector> engineInjectors) {
+ public PhoenicisScriptEngineFactory(PhoenicisSandbox phoenicisSandbox, ScriptEngineType type,
+ List<EngineInjector> engineInjectors) {
  this.type = type;
  this.engineInjectors = engineInjectors;
+ this.phoenicisSandbox = phoenicisSandbox;
  }
 
  public PhoenicisScriptEngine createEngine() {
- final PhoenicisScriptEngine phoenicisScriptEngine = type.createScriptEngine();
+ final PhoenicisScriptEngine phoenicisScriptEngine = type.createScriptEngine(this.phoenicisSandbox);
 
  engineInjectors.forEach(engineInjector -> engineInjector.injectInto(phoenicisScriptEngine));
 

phoenicis-scripts/src/main/java/org/phoenicis/scripts/engine/ScriptEngineType.java

@@ -1,6 +1,7 @@
 package org.phoenicis.scripts.engine;
 
 import org.phoenicis.scripts.engine.implementation.JSAScriptEngine;
+import org.phoenicis.scripts.engine.implementation.PhoenicisSandbox;
 import org.phoenicis.scripts.engine.implementation.PhoenicisScriptEngine;
 import org.phoenicis.scripts.engine.implementation.PolyglotScriptEngine;
 
@@ -12,15 +13,15 @@
 public enum ScriptEngineType {
  NASHORN("nashorn") {
  @Override
- public PhoenicisScriptEngine createScriptEngine() {
+ public PhoenicisScriptEngine createScriptEngine(PhoenicisSandbox sandbox) {
  return new JSAScriptEngine("nashorn");
  }
  },
 
  GRAAL("graal.js") {
  @Override
- public PhoenicisScriptEngine createScriptEngine() {
- return new PolyglotScriptEngine("js", Map.of("js.nashorn-compat", "true"));
+ public PhoenicisScriptEngine createScriptEngine(PhoenicisSandbox sandbox) {
+ return new PolyglotScriptEngine(sandbox, "js", Map.of("js.nashorn-compat", "true"));
  }
  };
 
@@ -43,7 +44,7 @@ public PhoenicisScriptEngine createScriptEngine() {
  *
  * @return The new instance of the {@link ScriptEngineType}
  */
- public abstract PhoenicisScriptEngine createScriptEngine();
+ public abstract PhoenicisScriptEngine createScriptEngine(PhoenicisSandbox phoenicisSandbox);
 
  @Override
  public String toString() {

phoenicis-scripts/src/main/java/org/phoenicis/scripts/engine/implementation/PhoenicisSandbox.java

@@ -0,0 +1,33 @@
+package org.phoenicis.scripts.engine.implementation;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class PhoenicisSandbox {
+ private static final Logger LOGGER = LoggerFactory.getLogger(PhoenicisSandbox.class);
+
+ public boolean isSafe(String identifier) {
+ LOGGER.debug("Loading {} in javascript context", identifier);
+ if (identifier.startsWith("org.phoenicis")) {
+ return true;
+ }
+
+ if (identifier.startsWith("java.lang")) {
+ // FIXME: This should be more fine-tuned later
+ // Contains process builder
+ return true;
+ }
+
+ if (identifier.startsWith("java.util")) {
+ // FIXME: This should be more fine-tuned later
+ return true;
+ }
+
+ // Needed by GraalVM
+ if (identifier.startsWith("java.net.URLClassLoader")) {
+ return true;
+ }
+
+ return false;
+ }
+}

phoenicis-scripts/src/main/java/org/phoenicis/scripts/engine/implementation/PolyglotScriptEngine.java

@@ -15,6 +15,8 @@
  * A {@link PhoenicisScriptEngine} wrapping around a polyglot {@link Context} object defined by Graal
  */
 public class PolyglotScriptEngine implements PhoenicisScriptEngine {
+ private final PhoenicisSandbox phoenicisSandbox;
+
  /**
  * A list of error handlers
  */
@@ -33,16 +35,19 @@ public class PolyglotScriptEngine implements PhoenicisScriptEngine {
  /**
  * Constructor
  *
+ * @param phoenicisSandbox a Phoenicis Sandbox bean
  * @param language The language name
  * @param options A map of options for the Polyglot context
  */
- public PolyglotScriptEngine(String language, Map<String, String> options) {
+ public PolyglotScriptEngine(PhoenicisSandbox phoenicisSandbox, String language, Map<String, String> options) {
  super();
+ this.phoenicisSandbox = phoenicisSandbox;
 
  this.errorHandlers = new ArrayList<>();
  this.language = language;
  this.context = Context.newBuilder(language)
  .allowExperimentalOptions(true)
+ .allowHostClassLookup(phoenicisSandbox::isSafe)
  .options(options).allowHostAccess(true).build();
  }
 

phoenicis-scripts/src/main/java/org/phoenicis/scripts/ui/InstallationType.java

@@ -1,8 +1,11 @@
 package org.phoenicis.scripts.ui;
 
+import org.phoenicis.configuration.security.Safe;
+
 /**
  * type of the installation
  */
+@Safe
 public enum InstallationType {
  APPS("Apps"), ENGINES("Engines"), VERBS("Verbs");