添加脚本引擎class黑名单，修复命令执行漏洞

Signed-off-by: icetimidus <icerab@outlook.com>
(cherry picked from commit 6988dd264d)

report-core/src/main/java/com/anjiplus/template/gaea/business/modules/datasetparam/service/impl/DataSetParamServiceImpl.java

@@ -1,4 +1,3 @@
-
 package com.anjiplus.template.gaea.business.modules.datasetparam.service.impl;
 
 import com.anji.plus.gaea.curd.mapper.GaeaBaseMapper;
@@ -10,6 +9,8 @@ import com.anjiplus.template.gaea.business.modules.datasetparam.service.DataSetP
 import com.anjiplus.template.gaea.business.modules.datasetparam.util.ParamsResolverHelper;
 import com.anjiplus.template.gaea.business.code.ResponseCode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Sets;
+import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -17,10 +18,10 @@ import org.springframework.stereotype.Service;
 
 import javax.script.Invocable;
 import javax.script.ScriptEngine;
-import javax.script.ScriptEngineManager;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 /**
 * @desc DataSetParam 数据集动态参数服务实现
@@ -31,11 +32,12 @@ import java.util.Map;
 //@RequiredArgsConstructor
 @Slf4j
 public class DataSetParamServiceImpl implements DataSetParamService {
+    static final Set<String> blackList = Sets.newHashSet("java.lang.ProcessBuilder", "java.lang.Runtime", "java.lang.ProcessImpl");
 
     private ScriptEngine engine;
     {
-        ScriptEngineManager manager = new ScriptEngineManager();
-        engine = manager.getEngineByName("JavaScript");
+        NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
+        engine = factory.getScriptEngine(clz -> !blackList.contains(clz));
     }
 
     @Autowired