zhouxy108/hutool
1
0
Fork 0
mirror of https://gitee.com/chinabugotech/hutool.git synced 2025-08-18 20:38:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

修复QLExpressEngineallowClassSet无效问题(issue#3994@Github)

Browse Source
This commit is contained in:
Looly
2025-07-22 15:26:19 +08:00
parent 325f5a5324
commit 3d0d8dea4b
2 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
hutool-extra/src/main/java/cn/hutool/extra/expression/engine/qlexpress/QLExpressEngine.java
View File

@@ -4,7 +4,10 @@ import cn.hutool.extra.expression.ExpressionEngine;
import cn.hutool.extra.expression.ExpressionException;
import com.ql.util.express.DefaultContext;
import com.ql.util.express.ExpressRunner;
import com.ql.util.express.config.QLExpressRunStrategy;
import javax.naming.InitialContext;
import java.lang.reflect.Method;
import java.util.Collection;
import java.util.Map;
@@ -24,10 +27,24 @@ public class QLExpressEngine implements ExpressionEngine {
*/
public QLExpressEngine() {
engine = new ExpressRunner();
// issue#3994@Github
// Enforce blacklisting of high-risk method invocations
QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
// Explicitly forbid JNDI lookup calls through InitialContext
QLExpressRunStrategy.addSecurityRiskMethod(InitialContext.class, "doLookup");
}
@Override
public Object eval(final String expression, final Map<String, Object> context, Collection<Class<?>> allowClassSet) {
// issue#3994@Github
if (null != allowClassSet) {
for (Class<?> clazz : allowClassSet) {
for (Method method : clazz.getDeclaredMethods()) {
QLExpressRunStrategy.addSecureMethod(clazz, method.getName());
}
}
}
final DefaultContext<String, Object> defaultContext = new DefaultContext<>();
defaultContext.putAll(context);
try {