1. Project Clover database Sat Feb 2 2019 06:45:20 CET
  2. Package org.xwiki.velocity.introspection

File SecureIntrospector.java

 

Coverage histogram

../../../../img/srcFileCovDistChart10.png
0% of files have more coverage

Code metrics

2
26
2
1
83
44
5
0.19
13
2
2.5

Classes

Class Line # Actions
SecureIntrospector 34 26 0% 5 0
1.0100%
 

Contributing tests

This file is covered by 58 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.velocity.introspection;
21   
22    import java.util.HashSet;
23    import java.util.Set;
24   
25    import org.apache.velocity.runtime.log.Log;
26    import org.apache.velocity.util.introspection.SecureIntrospectorImpl;
27   
28    /**
29    * {@link SecureIntrospectorImpl} is way too restrictive with allowed {@link Class} methods.
30    *
31    * @version $Id: a8b75320cd80b46b7f0b4e67d36f884318fd4f9e $
32    * @since 5.4RC1
33    */
 
34    public class SecureIntrospector extends SecureIntrospectorImpl
35    {
36    private final Set<String> secureClassMethods = new HashSet<String>();
37   
38    /**
39    * @param badClasses forbidden classes
40    * @param badPackages forbidden packages
41    * @param log the log
42    */
 
43  102 toggle public SecureIntrospector(String[] badClasses, String[] badPackages, Log log)
44    {
45  102 super(badClasses, badPackages, log);
46   
47  102 this.secureClassMethods.add("getname");
48  102 this.secureClassMethods.add("getName");
49  102 this.secureClassMethods.add("getsimpleName");
50  102 this.secureClassMethods.add("getSimpleName");
51   
52  102 this.secureClassMethods.add("isarray");
53  102 this.secureClassMethods.add("isArray");
54  102 this.secureClassMethods.add("isassignablefrom");
55  102 this.secureClassMethods.add("isAssignableFrom");
56  102 this.secureClassMethods.add("isenum");
57  102 this.secureClassMethods.add("isEnum");
58  102 this.secureClassMethods.add("isinstance");
59  102 this.secureClassMethods.add("isInstance");
60  102 this.secureClassMethods.add("isinterface");
61  102 this.secureClassMethods.add("isInterface");
62  102 this.secureClassMethods.add("islocalClass");
63  102 this.secureClassMethods.add("isLocalClass");
64  102 this.secureClassMethods.add("ismemberclass");
65  102 this.secureClassMethods.add("isMemberClass");
66  102 this.secureClassMethods.add("isprimitive");
67  102 this.secureClassMethods.add("isPrimitive");
68  102 this.secureClassMethods.add("issynthetic");
69  102 this.secureClassMethods.add("isSynthetic");
70   
71    // TODO: add more when needed
72    }
73   
 
74  37440563 toggle @Override
75    public boolean checkObjectExecutePermission(Class clazz, String methodName)
76    {
77  37443622 if (Class.class.isAssignableFrom(clazz) && methodName != null && this.secureClassMethods.contains(methodName)) {
78  4071 return true;
79    } else {
80  37440544 return super.checkObjectExecutePermission(clazz, methodName);
81    }
82    }
83    }