RANGER-5324: replace iterations with streams in RangerRequestScriptEvaluator - #2

Author: mneethiraj

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java

@@ -160,7 +160,7 @@ public final class RangerRequestScriptEvaluator {
     private static final String  DEFAULT_RANGER_TAG_ATTRIBUTE_DATE_FORMAT     = "yyyy/MM/dd";
     private static final String  DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT_NAME = "ATLAS_DATE_FORMAT";
     private static final String  DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT      = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
-    private static final String  SCRIPT_SAFE_PREEXEC                          = "Object.defineProperty(this,'engine',{value:null,writable:false});exit=null;quit=null;";
+    private static final String  SCRIPT_SAFE_PREEXEC                          = "Object.defineProperty(this,'engine',{value:null,writable:false});Object.defineProperty(this,'context',{value:null,writable:false});Object.defineProperty(this,'__noSuchProperty__',{value:null,writable:false});Object.defineProperty(this,'loadWithNewGlobal',{value:null,writable:false});exit=null;quit=null;";
     private static final String  SCRIPT_PREEXEC                               = SCRIPT_VAR__CTX + "=JSON.parse(" + SCRIPT_VAR__CTX_JSON + "); J=JSON.stringify;" +
             SCRIPT_VAR_REQ + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_REQUEST + ";" +
             SCRIPT_VAR_RES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_RESOURCE + ";" +

agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java

@@ -431,23 +431,23 @@ public void testBlockJavaClassReferences() {
         RangerAccessRequest          request   = createRequest("test-user", Collections.emptySet(), Collections.emptySet(), Collections.emptyList());
         RangerRequestScriptEvaluator evaluator = new RangerRequestScriptEvaluator(request, scriptEngine, false);
 
-        Assert.assertNull("test: java.lang.System.out.println(\"test\");", evaluator.evaluateScript("java.lang.System.out.println(\"test\");"));
-        Assert.assertNull("test: java.lang.Runtime.getRuntime().exec(\"bash\");", evaluator.evaluateScript("java.lang.Runtime.getRuntime().exec(\"bash\");"));
-
         String fileName = "/tmp/ctest1-" + System.currentTimeMillis();
-        String script   = "var file = new java.io.File('" + fileName +  "'); file.createNewFile()";
 
-        Assert.assertNull("test file access using: " + script, evaluator.evaluateScript(script));
+        String[] scripts = new String[] {
+                "java.lang.System.out.println(\"test\");",
+                "java.lang.Runtime.getRuntime().exec(\"bash\");",
+                "var newBindings=loadWithNewGlobal({'script':'this','name':'ctest'});this.context.setBindings(newBindings,100);var newEngine = this.__noSuchProperty__('engine');var e=newEngine.getFactory().getScriptEngine('-Dnashorn.args=--no-java=False');e.eval('java.lang.Runtime.getRuntime().exec(\"touch /tmp/ctest1\")')",
+                "engine.eval('malicious code')",
+                "var str = new java.lang.String('test'); str.length()",
+                "var file = new java.io.File('" + fileName +  "'); file.createNewFile()",
+        };
+
+        for (String script : scripts) {
+            Assert.assertNull("test: " + script, evaluator.evaluateScript(script));
+        }
 
         File testFile = new File(fileName);
         Assert.assertFalse(fileName + ": file should not have been created", testFile.exists());
-
-        script = "engine.eval('malicious code')";
-
-        Assert.assertNull("test engine access using: " + script, evaluator.evaluateScript(script));
-
-        script = "var str = new java.lang.String('test'); str.length()";
-        Assert.assertNull("test Java String class access using: " + script, evaluator.evaluateScript(script));
     }
 
     @Test