From 94280e2e63b02ae67482c85a388a58add85e10cf Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton@traccar.org>
Date: Sun, 16 Apr 2023 12:54:38 -0700
Subject: Fix JXLS JEXL permissions

---
 .../reports/common/ExpressionEvaluatorFactory.java | 58 ++++++++++++++++++++++
 .../org.jxls.expression.ExpressionEvaluatorFactory |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 src/main/java/org/traccar/reports/common/ExpressionEvaluatorFactory.java
 create mode 100644 src/main/resources/META-INF/services/org.jxls.expression.ExpressionEvaluatorFactory

(limited to 'src/main')

diff --git a/src/main/java/org/traccar/reports/common/ExpressionEvaluatorFactory.java b/src/main/java/org/traccar/reports/common/ExpressionEvaluatorFactory.java
new file mode 100644
index 000000000..8b139a572
--- /dev/null
+++ b/src/main/java/org/traccar/reports/common/ExpressionEvaluatorFactory.java
@@ -0,0 +1,58 @@
+package org.traccar.reports.common;
+
+import org.apache.commons.jexl3.JexlBuilder;
+import org.apache.commons.jexl3.introspection.JexlPermissions;
+import org.jxls.expression.ExpressionEvaluator;
+import org.jxls.expression.JexlExpressionEvaluator;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+
+public class ExpressionEvaluatorFactory implements org.jxls.expression.ExpressionEvaluatorFactory {
+
+    private final JexlPermissions permissions = new JexlPermissions() {
+        @Override
+        public boolean allow(Package pack) {
+            return true;
+        }
+
+        @Override
+        public boolean allow(Class<?> clazz) {
+            return true;
+        }
+
+        @Override
+        public boolean allow(Constructor<?> ctor) {
+            return true;
+        }
+
+        @Override
+        public boolean allow(Method method) {
+            return true;
+        }
+
+        @Override
+        public boolean allow(Field field) {
+            return true;
+        }
+
+        @Override
+        public JexlPermissions compose(String... src) {
+            return this;
+        }
+    };
+
+    @Override
+    public ExpressionEvaluator createExpressionEvaluator(String expression) {
+        JexlExpressionEvaluator expressionEvaluator = expression == null
+                ? new JexlExpressionEvaluator()
+                : new JexlExpressionEvaluator(expression);
+        expressionEvaluator.setJexlEngine(new JexlBuilder()
+                .silent(true)
+                .strict(false)
+                .permissions(permissions)
+                .create());
+        return expressionEvaluator;
+    }
+}
diff --git a/src/main/resources/META-INF/services/org.jxls.expression.ExpressionEvaluatorFactory b/src/main/resources/META-INF/services/org.jxls.expression.ExpressionEvaluatorFactory
new file mode 100644
index 000000000..75d628857
--- /dev/null
+++ b/src/main/resources/META-INF/services/org.jxls.expression.ExpressionEvaluatorFactory
@@ -0,0 +1 @@
+org.traccar.reports.common.ExpressionEvaluatorFactory
-- 
cgit v1.2.3