BATIK-1347: Switch to full whitelist for rhino

git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1904899 13f79535-47bb-0310-9956-ffa450edef68

Author: simonsteiner1984

batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java

@@ -33,7 +33,9 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 public class RhinoClassShutter implements ClassShutter {
     public static final List<String> WHITELIST = new ArrayList<>();
     static {
-        WHITELIST.addAll(Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL"));
+        WHITELIST.addAll(Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL", ".*Permission",
+                "org.w3c.dom.*", "org.apache.batik.w3c.*", "org.apache.batik.anim.*", "org.apache.batik.dom.*",
+                "org.apache.batik.css.*"));
     }
 
     /*
@@ -63,56 +65,11 @@ public void test(String cls) {
      * Returns whether the given class is visible to scripts.
      */
     public boolean visibleToScripts(String fullClassName) {
-        if (!WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission") && !fullClassName.startsWith("org.")) {
-            return false;
-        }
-
-        // Don't let them mess with script engine's internals.
-        if (fullClassName.startsWith("org.mozilla.javascript"))
-            return false;
-
-        if (fullClassName.startsWith("org.apache.batik.")) {
-            // Just get package within batik.
-            String batikPkg = fullClassName.substring(17);
-
-            // Don't let them mess with Batik script internals.
-            if (batikPkg.startsWith("script"))
-                return false;
-
-            // Don't let them get global structures.
-            if (batikPkg.startsWith("apps"))
-                return false;
-
-            // Don't let them get scripting stuff from bridge, but specifically
-            // allow access to:
-            //
-            //   o.a.b.bridge.ScriptingEnvironment$Window$IntervalScriptTimerTask
-            //   o.a.b.bridge.ScriptingEnvironment$Window$IntervalRunnableTimerTask
-            //   o.a.b.bridge.ScriptingEnvironment$Window$TimeoutScriptTimerTask
-            //   o.a.b.bridge.ScriptingEnvironment$Window$TimeoutRunnableTimerTask
-            //
-            // since objects of these classes are returned by setInterval() and
-            // setTimeout().
-            if (batikPkg.startsWith("bridge.")) {
-                String batikBridgeClass = batikPkg.substring(7);
-                if (batikBridgeClass.startsWith("ScriptingEnvironment")) {
-                    if (batikBridgeClass.startsWith("$Window$", 20)) {
-                        String c = batikBridgeClass.substring(28);
-                        if (c.equals("IntervalScriptTimerTask")
-                                || c.equals("IntervalRunnableTimerTask")
-                                || c.equals("TimeoutScriptTimerTask")
-                                || c.equals("TimeoutRunnableTimerTask")) {
-                            return true;
-                        }
-                    }
-                    return false;
-                }
-                if (batikBridgeClass.startsWith("BaseScriptingEnvironment")) {
-                    return false;
-                }
+        for (String v : WHITELIST) {
+            if (fullClassName.matches(v)) {
+                return true;
             }
         }
-
-        return true;
+        return false;
     }
 }

batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java

@@ -29,5 +29,6 @@ public void testImports() {
         RhinoClassShutter.WHITELIST.add(runtimeClass);
         Assert.assertTrue(new RhinoClassShutter().visibleToScripts(runtimeClass));
         RhinoClassShutter.WHITELIST.remove(runtimeClass);
+        Assert.assertFalse(new RhinoClassShutter().visibleToScripts("org.x"));
     }
 }