mxro
commented
4 years ago Hello @Betalord , thank you for opening this issue! It is definitely a possibility that something can slip through the sandbox. I wouldn't expect it to be a 100% solution.
I think the best we can do is try to identify the edge cases and close them off when we can. Could you construct a unit test for what you are talking about? If we can verify the case as such, we can then start exploring possible ways to mitigate. Thank you!
Hi, this is more of a question and a potential issue. The thing is this: by using JavaAdapter (which one needs to use if he wants to implement any interface, extend classes, etc.), full class name gets set to "adapterN", where N is some sequential number. Now, if we look the code in SafeClassShutter.java, which is supposed to filter out any non-whitelisted classes, we can see that all adapters are passed through (any class whose name starts with "adapter"). This means, as far as I can understand, that we can extend any class (like some java reflection class) and use it as it will slip through the filter. Now my question is, is that true? Can we extend java classes even if they are not explicitly exposed to JS script? I'm just wondering, since I want to be sure that user scripts will not be able to circumvent my sandbox.