search

mozilla / rhino

Rhino is an open-source implementation of JavaScript written entirely in Java
https://rhino.github.io
Other
4.19k stars 851 forks source link

"Cannot overwrite existing ClassShutter object" on a new Context #1710

Closed NGSpace closed 1 month ago

NGSpace commented 1 month ago

doing

Context cx = Context.enter();
cx.setClassShutter(clazz->false);

Throws "Cannot overwrite existing ClassShutter object"

rPraml commented 1 month ago

Warning: Do not rely on the false security, that classShutter etc. may provide. See #1045 #861 I've tried a lot and either liveConnect was useless or we found ways to bypass the "rules".

ClassShutter is easy: new java.util.HashMap().getClassLoader() and then load class you want or even define new class from bytecode level.

NGSpace commented 1 month ago

Thank you for your reply, is there a way to completely disable liveConnect or something more secure than ClassShutter?

rPraml commented 1 month ago

you can use initSafeStandardObjects, but then there are still ways, where a user can abuse the system. E.g. with complex regexps or endless loops.

NGSpace commented 1 month ago

Thank you for your answer.

Also I know this is unrelated but is there a way to make a global JavaScript function that will call a Java Lambda?

rPraml commented 1 month ago

You can try this

BaseFunction myFunc = new BaseFunction() {
    public Object call(Context _cx, Scriptable _scope, Scriptable _thisObj, Object[] _args) {
        // your code goes here
    }
}
scope.put("myFunc", scope, myFunc)

or ScriptableObject.defineProperty if you just want a getter/setter property

gbrail commented 1 month ago

Also, the LambdaFunction class is designed for exactly this -- you create an instance of this class and pass it your lambda and you have a legal JavaScript function.

On Fri, Oct 25, 2024 at 7:38 AM Roland Praml @.***> wrote:

You can try this

BaseFunction myFunc = new BaseFunction() { public Object call(Context _cx, Scriptable _scope, Scriptable _thisObj, Object[] _args) { // your code goes here } }scope.put("myFunc", scope, myFunc)

or ScriptableObject.defineProperty if you just want a getter/setter property

— Reply to this email directly, view it on GitHub https://github.com/mozilla/rhino/issues/1710#issuecomment-2437997406, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD7I272H4NYXJKLXCKKKTLZ5JJXTAVCNFSM6AAAAABQR7SH3KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZXHE4TONBQGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

NGSpace commented 1 month ago

Thank you for your help!