┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Defect Number ┃ Defects Same Cwe ┃ Defects Same Location ┃ Defects Same Location Same Cwe ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 1 │ ~0.0 │ 0 │ 0 │
└───────────────┴──────────────────┴───────────────────────┴────────────────────────────────┘
┏━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Location ┃ SAST ┃ CWE ┃ Message ┃
┡━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 50 │ SemgrepCE │ CWE-94 │ Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability. │
└──────────┴───────────┴────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
1 /*
2 * Copyright 2022 Conductor Authors.
3 * <p>
4 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
5 * the License. You may obtain a copy of the License at
6 * <p>
7 * http://www.apache.org/licenses/LICENSE-2.0
8 * <p>
9 * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
10 * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
11 * specific language governing permissions and limitations under the License.
12 */
13 package com.netflix.conductor.core.events;
14
15 import javax.script.Bindings;
16 import javax.script.ScriptEngine;
17 import javax.script.ScriptEngineManager;
18 import javax.script.ScriptException;
19
20 import org.openjdk.nashorn.api.scripting.NashornScriptEngineFactory;
21
22 public class ScriptEvaluator {
23
24 private static ScriptEngine engine;
25
26 private ScriptEvaluator() {}
27
28 /**
29 * Evaluates the script with the help of input provided but converts the result to a boolean
30 * value. Set environment variable CONDUCTOR_NASHORN_ES6_ENABLED=true for Nashorn ES6 support.
31 *
32 * @param script Script to be evaluated.
33 * @param input Input parameters.
34 * @throws ScriptException
35 * @return True or False based on the result of the evaluated expression.
36 */
37 public static Boolean evalBool(String script, Object input) throws ScriptException {
38 return toBoolean(eval(script, input));
39 }
40
41 /**
42 * Evaluates the script with the help of input provided. Set environment variable
43 * CONDUCTOR_NASHORN_ES6_ENABLED=true for Nashorn ES6 support.
44 *
45 * @param script Script to be evaluated.
46 * @param input Input parameters.
47 * @throws ScriptException
48 * @return Generic object, the result of the evaluated expression.
49 */
50 public static Object eval(String script, Object input) throws ScriptException {
51 initEngine(false);
52 Bindings bindings = engine.createBindings();
53 bindings.put("$", input);
54 return engine.eval(script, bindings);
55 }
56
57 // to mock in a test
58 public static String getEnv(String name) {
59 return System.getenv(name);
60 }
61
62 public static void initEngine(boolean reInit) {
63 if (engine == null || reInit) {
64 if ("true".equalsIgnoreCase(getEnv("CONDUCTOR_NASHORN_ES6_ENABLED"))) {
65 NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
66 engine = factory.getScriptEngine("--language=es6");
67 } else {
68 engine = new ScriptEngineManager().getEngineByName("Nashorn");
69 }
70 }
71 if (engine == null) {
72 throw new RuntimeException(
73 "missing nashorn engine. Ensure you are running supported JVM");
74 }
75 }
76
77 /**
78 * Converts a generic object into boolean value. Checks if the Object is of type Boolean and
79 * returns the value of the Boolean object. Checks if the Object is of type Number and returns
80 * True if the value is greater than 0.
81 *
82 * @param input Generic object that will be inspected to return a boolean value.
83 * @return True or False based on the input provided.
84 */
85 public static Boolean toBoolean(Object input) {
86 if (input instanceof Boolean) {
87 return ((Boolean) input);
88 } else if (input instanceof Number) {
89 return ((Number) input).doubleValue() > 0;
90 }
91 return false;
92 }
93 }
94
^