From be4f7eb84a6143fa80432783505091c19c57f98b Mon Sep 17 00:00:00 2001
From: icetimidus <icerab@outlook.com>
Date: Tue, 7 May 2024 02:33:39 +0000
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E8=84=9A=E6=9C=AC=E5=BC=95?=
 =?UTF-8?q?=E6=93=8Eclass=E9=BB=91=E5=90=8D=E5=8D=95=EF=BC=8C=E4=BF=AE?=
 =?UTF-8?q?=E5=A4=8D=E5=91=BD=E4=BB=A4=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: icetimidus <icerab@outlook.com>
(cherry picked from commit 6988dd264d80ce504377328b61242b495983cc15)
---
 .../service/impl/DataSetParamServiceImpl.java          | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/report-core/src/main/java/com/anjiplus/template/gaea/business/modules/datasetparam/service/impl/DataSetParamServiceImpl.java b/report-core/src/main/java/com/anjiplus/template/gaea/business/modules/datasetparam/service/impl/DataSetParamServiceImpl.java
index e4679b87..ca4303c1 100644
--- a/report-core/src/main/java/com/anjiplus/template/gaea/business/modules/datasetparam/service/impl/DataSetParamServiceImpl.java
+++ b/report-core/src/main/java/com/anjiplus/template/gaea/business/modules/datasetparam/service/impl/DataSetParamServiceImpl.java
@@ -1,4 +1,3 @@
-
 package com.anjiplus.template.gaea.business.modules.datasetparam.service.impl;
 
 import com.anji.plus.gaea.curd.mapper.GaeaBaseMapper;
@@ -10,6 +9,8 @@ import com.anjiplus.template.gaea.business.modules.datasetparam.service.DataSetP
 import com.anjiplus.template.gaea.business.modules.datasetparam.util.ParamsResolverHelper;
 import com.anjiplus.template.gaea.business.code.ResponseCode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Sets;
+import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -17,10 +18,10 @@ import org.springframework.stereotype.Service;
 
 import javax.script.Invocable;
 import javax.script.ScriptEngine;
-import javax.script.ScriptEngineManager;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 /**
 * @desc DataSetParam 数据集动态参数服务实现
@@ -31,11 +32,12 @@ import java.util.Map;
 //@RequiredArgsConstructor
 @Slf4j
 public class DataSetParamServiceImpl implements DataSetParamService {
+    static final Set<String> blackList = Sets.newHashSet("java.lang.ProcessBuilder", "java.lang.Runtime", "java.lang.ProcessImpl");
 
     private ScriptEngine engine;
     {
-        ScriptEngineManager manager = new ScriptEngineManager();
-        engine = manager.getEngineByName("JavaScript");
+        NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
+        engine = factory.getScriptEngine(clz -> !blackList.contains(clz));
     }
 
     @Autowired