From bf2d46d37ee4a9d05088e12f2358e777878902fe Mon Sep 17 00:00:00 2001 From: ZZZank <3410764033@qq.com> Date: Sun, 18 Jan 2026 20:40:54 +0800 Subject: [PATCH] prevent Field/Method/Constructor to be directly accessible in JS code --- rhino/src/main/java/org/mozilla/javascript/WrapFactory.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rhino/src/main/java/org/mozilla/javascript/WrapFactory.java b/rhino/src/main/java/org/mozilla/javascript/WrapFactory.java index 4615439dae..2ba52978bb 100644 --- a/rhino/src/main/java/org/mozilla/javascript/WrapFactory.java +++ b/rhino/src/main/java/org/mozilla/javascript/WrapFactory.java @@ -8,6 +8,7 @@ package org.mozilla.javascript; +import java.lang.reflect.AccessibleObject; import java.math.BigInteger; import java.util.List; import java.util.Map; @@ -119,6 +120,11 @@ public Scriptable wrapAsJavaObject( public Scriptable wrapAsJavaObject( Context cx, Scriptable scope, Object javaObject, TypeInfo staticType) { + if (javaObject instanceof AccessibleObject) { + // Field, Method, Constructor + return Undefined.SCRIPTABLE_UNDEFINED; + } + if (staticType.shouldReplace() && javaObject != null) { staticType = TypeInfoFactory.getOrElse(scope, TypeInfoFactory.GLOBAL)