8021189: Prevent access to constructors of restricted classes

Reviewed-by: lagergren, sundar

nashorn/src/jdk/internal/dynalink/beans/AbstractJavaLinker.java

@@ -292,8 +292,6 @@ abstract class AbstractJavaLinker implements GuardingDynamicLinker {
         return new SimpleDynamicMethod(unreflectSafely(m), member.getDeclaringClass(), member.getName());
     }
 
-    private static final Lookup publicLookup = new Lookup(MethodHandles.publicLookup());
-
     /**
      * Unreflects a method handle from a Method or a Constructor using safe (zero-privilege) unreflection. Should be
      * only used for methods and constructors that are not caller sensitive. If a caller sensitive method were
@@ -305,13 +303,13 @@ abstract class AbstractJavaLinker implements GuardingDynamicLinker {
     private static MethodHandle unreflectSafely(AccessibleObject m) {
         if(m instanceof Method) {
             final Method reflMethod = (Method)m;
-            final MethodHandle handle = publicLookup.unreflect(reflMethod);
+            final MethodHandle handle = Lookup.PUBLIC.unreflect(reflMethod);
             if(Modifier.isStatic(reflMethod.getModifiers())) {
                 return StaticClassIntrospector.editStaticMethodHandle(handle);
             }
             return handle;
         }
-        return StaticClassIntrospector.editConstructorMethodHandle(publicLookup.unreflectConstructor((Constructor<?>)m));
+        return StaticClassIntrospector.editConstructorMethodHandle(Lookup.PUBLIC.unreflectConstructor((Constructor<?>)m));
     }
 
     private static DynamicMethod mergeMethods(SingleDynamicMethod method, DynamicMethod existing, Class<?> clazz, String name) {

nashorn/src/jdk/internal/dynalink/beans/FacetIntrospector.java

@@ -84,7 +84,6 @@
 package jdk.internal.dynalink.beans;
 
 import java.lang.invoke.MethodHandle;
-import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Field;
 import java.lang.reflect.Member;
 import java.lang.reflect.Method;
@@ -101,8 +100,6 @@ import jdk.internal.dynalink.support.Lookup;
  * @author Attila Szegedi
  */
 abstract class FacetIntrospector {
-    private static final Lookup publicLookup = new Lookup(MethodHandles.publicLookup());
-
     private final Class<?> clazz;
     private final boolean instance;
     private final boolean isRestricted;
@@ -164,11 +161,11 @@ abstract class FacetIntrospector {
 
 
     MethodHandle unreflectGetter(Field field) {
-        return editMethodHandle(publicLookup.unreflectGetter(field));
+        return editMethodHandle(Lookup.PUBLIC.unreflectGetter(field));
     }
 
     MethodHandle unreflectSetter(Field field) {
-        return editMethodHandle(publicLookup.unreflectSetter(field));
+        return editMethodHandle(Lookup.PUBLIC.unreflectSetter(field));
     }
 
     /**

nashorn/src/jdk/internal/dynalink/beans/StaticClassLinker.java

@@ -132,7 +132,9 @@ class StaticClassLinker implements TypeBasedGuardingDynamicLinker {
                 return new SimpleDynamicMethod(StaticClassIntrospector.editConstructorMethodHandle(
                         boundArrayCtor.asType(boundArrayCtor.type().changeReturnType(clazz))), clazz, "<init>");
             }
-
+            if(CheckRestrictedPackage.isRestrictedClass(clazz)) {
+                return null;
+            }
             return createDynamicMethod(Arrays.asList(clazz.getConstructors()), clazz, "<init>");
         }
 

nashorn/test/script/trusted/JDK-8006529.js

@@ -51,6 +51,7 @@ var ExpressionStatement = Java.type("jdk.nashorn.internal.ir.ExpressionStatement
 var UnaryNode           = Java.type("jdk.nashorn.internal.ir.UnaryNode")
 var BinaryNode          = Java.type("jdk.nashorn.internal.ir.BinaryNode")
 var ThrowErrorManager   = Java.type("jdk.nashorn.internal.runtime.Context$ThrowErrorManager")
+var ErrorManager        = Java.type("jdk.nashorn.internal.runtime.ErrorManager")
 var Debug               = Java.type("jdk.nashorn.internal.runtime.Debug")
 
 var parseMethod = Parser.class.getMethod("parse");
@@ -111,18 +112,22 @@ function findFunction(node) {
 var getContextMethod = Context.class.getMethod("getContext")
 var getEnvMethod = Context.class.getMethod("getEnv")
 
+var SourceConstructor = Source.class.getConstructor(java.lang.String.class, java.lang.String.class)
+var ParserConstructor = Parser.class.getConstructor(ScriptEnvironment.class, Source.class, ErrorManager.class)
+var CompilerConstructor = Compiler.class.getConstructor(ScriptEnvironment.class)
+
 // compile(script) -- compiles a script specified as a string with its 
 // source code, returns a jdk.nashorn.internal.ir.FunctionNode object 
 // representing it.
 function compile(source) {
-    var source   = new Source("<no name>", source);
+    var source = SourceConstructor.newInstance("<no name>", source);
 
     var env = getEnvMethod.invoke(getContextMethod.invoke(null))
 
-    var parser   = new Parser(env, source, new ThrowErrorManager());
+    var parser   = ParserConstructor.newInstance(env, source, new ThrowErrorManager());
     var func     = parseMethod.invoke(parser);
 
-    var compiler = new Compiler(env);
+    var compiler = CompilerConstructor.newInstance(env);
 
     return compileMethod.invoke(compiler, func);
 };

nashorn/test/script/trusted/JDK-8021129.js

@@ -29,7 +29,9 @@
  * @test
  * @run
  */
-var r1 = new (Java.type("jdk.nashorn.internal.test.models.InternalRunnable"))
+var R = Java.type("jdk.nashorn.internal.test.models.InternalRunnable")
+var r1 = R.class.newInstance()
+
 r1.run() // Can execute method from an implemented non-restricted interface
 print(r1.toString()) // Can execute public method from a superclass
 
@@ -40,4 +42,4 @@ print(r1.canSeeThisField === undefined) // Can't see fields from superclasses
 print(r1.canNotSeeThisField === undefined) // Can't see its own fields
 
 var r2 = new (Java.type("jdk.nashorn.test.models.InternalRunnableSuperclass"))
-print(r2.canSeeThisField) // Superclass field works fine on its own
+print(r2.canSeeThisField) // Superclass field works fine on its own

nashorn/test/script/trusted/JDK-8021189.js

@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ * 
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ * 
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ * 
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ * 
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * JDK-8021189: Prevent access to constructors of restricted classes
+ * 
+ * @test
+ * @run
+ */
+try {
+    new (Java.type("jdk.nashorn.internal.test.models.InternalRunnable"))
+} catch(e) {
+    print(e)
+}

nashorn/test/script/trusted/JDK-8021189.js.EXPECTED

@@ -0,0 +1 @@
+TypeError: Can not construct jdk.nashorn.internal.test.models.InternalRunnable with the passed arguments; they do not match any of its constructor signatures.