From 32d467b6d961afe4fe7cf4d9a0f75d979dabcc55 Mon Sep 17 00:00:00 2001 From: yukaidi Date: Fri, 29 May 2026 00:35:10 +0800 Subject: [PATCH] =?UTF-8?q?Revert=20"fix(security):=20SecurityClassFilter?= =?UTF-8?q?=20=E6=94=B9=E4=B8=BA=E7=99=BD=E5=90=8D=E5=8D=95=E7=AD=96?= =?UTF-8?q?=E7=95=A5"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit a83665ac4487a53387336bd887e8b94daf9d9680. --- .../parser/customjs/SecurityClassFilter.java | 83 ++++++------------- 1 file changed, 24 insertions(+), 59 deletions(-) diff --git a/parser/src/main/java/cn/qaiu/parser/customjs/SecurityClassFilter.java b/parser/src/main/java/cn/qaiu/parser/customjs/SecurityClassFilter.java index 0901a27..893dca8 100644 --- a/parser/src/main/java/cn/qaiu/parser/customjs/SecurityClassFilter.java +++ b/parser/src/main/java/cn/qaiu/parser/customjs/SecurityClassFilter.java @@ -78,76 +78,41 @@ public class SecurityClassFilter implements ClassFilter { "jdk.nashorn.internal", "jdk.internal", }; - - // 白名单:明确允许 JS 解析器使用的类 - private static final String[] ALLOWED_CLASSES = { - // Nashorn 脚本对象 - "org.openjdk.nashorn.api.scripting", - "jdk.nashorn.api.scripting", - // 基础集合类 - "java.util", - // 基础类型 - "java.lang.String", - "java.lang.Integer", - "java.lang.Long", - "java.lang.Double", - "java.lang.Boolean", - "java.lang.Math", - "java.lang.Number", - "java.lang.Object", - "java.lang.StringBuilder", - "java.lang.StringBuffer", - "java.lang.Character", - "java.lang.Byte", - "java.lang.Short", - "java.lang.Float", - "java.lang.Enum", - "java.lang.Iterable", - "java.lang.Comparable", - // 时间类 - "java.time", - // 文本处理 - "java.text", - }; - - // 白名单包前缀 - private static final String[] ALLOWED_PACKAGES = { - "java.util.", - "java.time.", - "java.text.", - "org.openjdk.nashorn.api.scripting.", - "jdk.nashorn.api.scripting.", - }; - + @Override public boolean exposeToScripts(String className) { - // 1. 先检查黑名单(快速拒绝已知危险类) + // 检查是否在黑名单中 for (String dangerous : DANGEROUS_CLASSES) { if (className.equals(dangerous) || className.startsWith(dangerous + ".")) { log.warn("🔒 安全拦截: JavaScript尝试访问危险类 - {}", className); return false; } } - - // 2. 检查白名单(只允许明确安全的类) - for (String allowed : ALLOWED_CLASSES) { - if (className.equals(allowed) || className.startsWith(allowed + ".")) { - log.debug("✅ 白名单允许: {}", className); - return true; - } - } - - // 3. 检查白名单包前缀 - for (String pkg : ALLOWED_PACKAGES) { + + // 额外的包级别限制 + String[] dangerousPackages = { + "java.lang.reflect.", + "java.io.", + "java.nio.", + "java.net.", + "java.sql.", + "javax.script.", + "sun.", + "jdk.internal.", + "jdk.nashorn.internal." + }; + + for (String pkg : dangerousPackages) { if (className.startsWith(pkg)) { - log.debug("✅ 白名单包允许: {}", className); - return true; + log.warn("🔒 安全拦截: JavaScript尝试访问危险包 - {}", className); + return false; } } - - // 4. 默认拒绝(白名单策略) - log.warn("🔒 安全拦截: JavaScript尝试访问未授权类 - {}", className); - return false; + + // 默认也拒绝(白名单策略更安全,但这里为了兼容性使用黑名单) + // 如果要更严格,可以改为 return false + log.debug("允许访问类: {}", className); + return true; } }