filebot/source/net/filebot/format/SecureCompiledScript.java

package net.filebot.format;

import java.awt.AWTPermission;
import java.io.File;
import java.io.FilePermission;
import java.lang.management.ManagementPermission;
import java.lang.reflect.ReflectPermission;
import java.net.SocketPermission;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.util.PropertyPermission;
import java.util.concurrent.Callable;
import java.util.logging.LoggingPermission;

import javax.script.CompiledScript;
import javax.script.ScriptContext;
import javax.script.ScriptEngine;
import javax.script.ScriptException;

import net.filebot.ApplicationFolder;
import net.filebot.util.ExceptionUtilities;

public class SecureCompiledScript extends CompiledScript {

	public static PermissionCollection getDefaultSandboxPermissions() {
		Permissions permissions = new Permissions();

		// give up on real security, just try to keep files read-only (because of classloading and native lib loading issues)
		permissions.add(new RuntimePermission("createClassLoader"));
		permissions.add(new RuntimePermission("getClassLoader"));
		permissions.add(new RuntimePermission("modifyThread"));
		permissions.add(new RuntimePermission("modifyThreadGroup"));
		permissions.add(new RuntimePermission("loadLibrary.*"));
		permissions.add(new RuntimePermission("accessClassInPackage.*"));
		permissions.add(new RuntimePermission("accessDeclaredMembers"));
		permissions.add(new RuntimePermission("canProcessApplicationEvents"));
		permissions.add(new RuntimePermission("getenv.*"));
		permissions.add(new RuntimePermission("getFileSystemAttributes"));
		permissions.add(new RuntimePermission("readFileDescriptor"));
		permissions.add(new RuntimePermission("preferences"));
		permissions.add(new AWTPermission("toolkitModality"));
		permissions.add(new AWTPermission("setWindowAlwaysOnTop"));
		permissions.add(new AWTPermission("showWindowWithoutWarningBanner"));
		permissions.add(new FilePermission("<<ALL FILES>>", "read"));
		permissions.add(new SocketPermission("*", "connect"));
		permissions.add(new PropertyPermission("*", "read"));
		permissions.add(new PropertyPermission("*", "write"));
		permissions.add(new LoggingPermission("control", null));
		permissions.add(new ManagementPermission("monitor"));
		permissions.add(new ReflectPermission("suppressAccessChecks"));
		permissions.add(new ReflectPermission("newProxyInPackage.*"));

		// write permissions for cache and temp folders
		for (ApplicationFolder it : ApplicationFolder.values()) {
			permissions.add(new FilePermission(it.get().getAbsolutePath() + File.separator + "-", "read, write, delete"));
		}

		return permissions;
	}

	private final CompiledScript compiledScript;
	private final AccessControlContext sandbox;

	public SecureCompiledScript(CompiledScript compiledScript) {
		this(compiledScript, new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, getDefaultSandboxPermissions()) }));
	}

	public SecureCompiledScript(CompiledScript compiledScript, AccessControlContext sandbox) {
		this.compiledScript = compiledScript;
		this.sandbox = sandbox;
	}

	@Override
	public Object eval(ScriptContext context) throws ScriptException {
		try {
			return AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() {

				@Override
				public Object run() throws ScriptException {
					Object value = compiledScript.eval(context);

					if (value instanceof Callable<?>) {
						try {
							return ((Callable<?>) value).call();
						} catch (Exception e) {
							throw new ScriptException(e);
						}
					}

					return value;
				}
			}, sandbox);
		} catch (PrivilegedActionException e) {
			AccessControlException accessException = ExceptionUtilities.findCause(e, AccessControlException.class);

			// try to unwrap AccessControlException
			if (accessException != null)
				throw new ExpressionException(accessException);

			// forward ScriptException
			// e.getException() should be an instance of ScriptException,
			// as only "checked" exceptions will be "wrapped" in a PrivilegedActionException
			throw (ScriptException) e.getException();
		}
	}

	@Override
	public ScriptEngine getEngine() {
		return compiledScript.getEngine();
	}

}
* fix package and import declarations 2014-04-19 02:30:29 -04:00			`package net.filebot.format;`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00
new AWTPermission("toolkitModality") 2016-11-23 02:02:31 -05:00			`import java.awt.AWTPermission;`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`import java.io.File;`
			`import java.io.FilePermission;`
* update samples 2013-10-17 03:11:32 -04:00			`import java.lang.management.ManagementPermission;`
* maybe fix libmediainfo library loading issues 2015-11-13 01:17:15 -05:00			`import java.lang.reflect.ReflectPermission;`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`import java.net.SocketPermission;`
			`import java.security.AccessControlContext;`
			`import java.security.AccessControlException;`
			`import java.security.AccessController;`
			`import java.security.PermissionCollection;`
			`import java.security.Permissions;`
			`import java.security.PrivilegedActionException;`
			`import java.security.PrivilegedExceptionAction;`
			`import java.security.ProtectionDomain;`
			`import java.util.PropertyPermission;`
Make sure that returned Closure objects are invoked in the AccessController context 2017-01-16 02:11:34 -05:00			`import java.util.concurrent.Callable;`
Additional format permission that might be required for certain bindings (e.g. abs2sxe) 2016-05-05 13:26:39 -04:00			`import java.util.logging.LoggingPermission;`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00
			`import javax.script.CompiledScript;`
			`import javax.script.ScriptContext;`
			`import javax.script.ScriptEngine;`
			`import javax.script.ScriptException;`

Refactor ApplicationFolder 2016-08-04 03:05:54 -04:00			`import net.filebot.ApplicationFolder;`
* fix package and import declarations 2014-04-19 02:30:29 -04:00			`import net.filebot.util.ExceptionUtilities;`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00
			`public class SecureCompiledScript extends CompiledScript {`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`public static PermissionCollection getDefaultSandboxPermissions() {`
			`Permissions permissions = new Permissions();`
* update samples 2013-10-17 03:11:32 -04:00
* maybe fix libmediainfo library loading issues 2015-11-13 01:17:15 -05:00			`// give up on real security, just try to keep files read-only (because of classloading and native lib loading issues)`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`permissions.add(new RuntimePermission("createClassLoader"));`
* maybe fix libmediainfo library loading issues 2015-11-09 02:25:56 -05:00			`permissions.add(new RuntimePermission("getClassLoader"));`
* added data 2013-04-04 17:41:47 -04:00			`permissions.add(new RuntimePermission("modifyThread"));`
* maybe fix libmediainfo library loading issues 2015-11-09 02:25:56 -05:00			`permissions.add(new RuntimePermission("modifyThreadGroup"));`
			`permissions.add(new RuntimePermission("loadLibrary.*"));`
			`permissions.add(new RuntimePermission("accessClassInPackage.*"));`
			`permissions.add(new RuntimePermission("accessDeclaredMembers"));`
new RuntimePermission("canProcessApplicationEvents") 2016-11-24 03:37:51 -05:00			`permissions.add(new RuntimePermission("canProcessApplicationEvents"));`
* maybe fix libmediainfo library loading issues 2015-11-09 02:25:56 -05:00			`permissions.add(new RuntimePermission("getenv.*"));`
			`permissions.add(new RuntimePermission("getFileSystemAttributes"));`
			`permissions.add(new RuntimePermission("readFileDescriptor"));`
Additional format permission that might be required for certain bindings (e.g. abs2sxe) 2016-05-05 13:26:39 -04:00			`permissions.add(new RuntimePermission("preferences"));`
new RuntimePermission("canProcessApplicationEvents") 2016-11-24 03:37:51 -05:00			`permissions.add(new AWTPermission("toolkitModality"));`
			`permissions.add(new AWTPermission("setWindowAlwaysOnTop"));`
			`permissions.add(new AWTPermission("showWindowWithoutWarningBanner"));`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`permissions.add(new FilePermission("<<ALL FILES>>", "read"));`
			`permissions.add(new SocketPermission("*", "connect"));`
			`permissions.add(new PropertyPermission("*", "read"));`
* maybe fix libmediainfo library loading issues 2015-11-13 01:17:15 -05:00			`permissions.add(new PropertyPermission("*", "write"));`
Additional format permission that might be required for certain bindings (e.g. abs2sxe) 2016-05-05 13:26:39 -04:00			`permissions.add(new LoggingPermission("control", null));`
* update samples 2013-10-17 03:11:32 -04:00			`permissions.add(new ManagementPermission("monitor"));`
* maybe fix libmediainfo library loading issues 2015-11-13 01:17:15 -05:00			`permissions.add(new ReflectPermission("suppressAccessChecks"));`
			`permissions.add(new ReflectPermission("newProxyInPackage.*"));`
* update samples 2013-10-17 03:11:32 -04:00
Unify application folder logic 2016-03-11 06:14:50 -05:00			`// write permissions for cache and temp folders`
			`for (ApplicationFolder it : ApplicationFolder.values()) {`
Compatibility fix 2016-11-25 12:37:09 -05:00			`permissions.add(new FilePermission(it.get().getAbsolutePath() + File.separator + "-", "read, write, delete"));`
* cache compiled script snippets since each new instance leaks into PermGen memory 2013-01-29 04:05:42 -05:00			`}`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`return permissions;`
			`}`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`private final CompiledScript compiledScript;`
			`private final AccessControlContext sandbox;`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`public SecureCompiledScript(CompiledScript compiledScript) {`
			`this(compiledScript, new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, getDefaultSandboxPermissions()) }));`
			`}`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`public SecureCompiledScript(CompiledScript compiledScript, AccessControlContext sandbox) {`
			`this.compiledScript = compiledScript;`
			`this.sandbox = sandbox;`
			`}`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`@Override`
Make sure that returned Closure objects are invoked in the AccessController context 2017-01-16 02:11:34 -05:00			`public Object eval(ScriptContext context) throws ScriptException {`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`try {`
			`return AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() {`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`@Override`
			`public Object run() throws ScriptException {`
Make sure that returned Closure objects are invoked in the AccessController context 2017-01-16 02:11:34 -05:00			`Object value = compiledScript.eval(context);`

			`if (value instanceof Callable<?>) {`
			`try {`
			`return ((Callable<?>) value).call();`
			`} catch (Exception e) {`
			`throw new ScriptException(e);`
			`}`
			`}`

			`return value;`
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`}`
			`}, sandbox);`
			`} catch (PrivilegedActionException e) {`
			`AccessControlException accessException = ExceptionUtilities.findCause(e, AccessControlException.class);`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`// try to unwrap AccessControlException`
			`if (accessException != null)`
			`throw new ExpressionException(accessException);`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`// forward ScriptException`
			`// e.getException() should be an instance of ScriptException,`
			`// as only "checked" exceptions will be "wrapped" in a PrivilegedActionException`
			`throw (ScriptException) e.getException();`
			`}`
			`}`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`@Override`
			`public ScriptEngine getEngine() {`
			`return compiledScript.getEngine();`
			`}`
* update samples 2013-10-17 03:11:32 -04:00
+ support episode --filter CLI option 2012-03-24 22:50:28 -04:00			`}`