From 934390fefcd2cd58e6d86f2bc19d811ae17bfa28 Mon Sep 17 00:00:00 2001
From: rbri <rbri@rbri.de>
Date: Fri, 24 Jan 2020 19:59:38 +0100
Subject: [PATCH] disable java access to avoid execution of arbitrary (java)
 code

---
 .../htmlunit/javascript/HtmlUnitContextFactory.java      | 9 +++++++++
 .../htmlunit/javascript/JavaScriptEngine.java            | 3 +--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/gargoylesoftware/htmlunit/javascript/HtmlUnitContextFactory.java b/src/main/java/com/gargoylesoftware/htmlunit/javascript/HtmlUnitContextFactory.java
index 1f5f836d1f1..f975ee555d3 100644
--- a/src/main/java/com/gargoylesoftware/htmlunit/javascript/HtmlUnitContextFactory.java
+++ b/src/main/java/com/gargoylesoftware/htmlunit/javascript/HtmlUnitContextFactory.java
@@ -32,6 +32,7 @@
 import com.gargoylesoftware.htmlunit.javascript.regexp.HtmlUnitRegExpProxy;
 
 import net.sourceforge.htmlunit.corejs.javascript.Callable;
+import net.sourceforge.htmlunit.corejs.javascript.ClassShutter;
 import net.sourceforge.htmlunit.corejs.javascript.Context;
 import net.sourceforge.htmlunit.corejs.javascript.ContextAction;
 import net.sourceforge.htmlunit.corejs.javascript.ContextFactory;
@@ -274,6 +275,14 @@ protected Context makeContext() {
         final TimeoutContext cx = new TimeoutContext(this);
         cx.setLanguageVersion(Context.VERSION_ES6);
 
+        // make sure no java classes are usable from js
+        cx.setClassShutter(new ClassShutter() {
+            @Override
+            public boolean visibleToScripts(final String fullClassName) {
+                return false;
+            }
+        });
+
         // Use pure interpreter mode to get observeInstructionCount() callbacks.
         cx.setOptimizationLevel(-1);
 
diff --git a/src/main/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine.java b/src/main/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine.java
index 0f6f4dd72d8..08841b964aa 100644
--- a/src/main/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine.java
+++ b/src/main/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine.java
@@ -216,8 +216,7 @@ private void init(final WebWindow webWindow, final Context context) throws Excep
         }
 
         // remove some objects, that Rhino defines in top scope but that we don't want
-        deleteProperties(window, "java", "javax", "org", "com", "edu", "net",
-                "JavaAdapter", "JavaImporter", "Continuation", "Packages", "getClass");
+        deleteProperties(window, "Continuation");
         if (!browserVersion.hasFeature(JS_XML)) {
             deleteProperties(window, "XML", "XMLList", "Namespace", "QName");
         }