Add option to disable access to services in scripts

Author: filiphr

modules/flowable-cmmn-engine/src/main/java/org/flowable/cmmn/engine/CmmnEngineConfiguration.java

@@ -440,6 +440,11 @@ public class CmmnEngineConfiguration extends AbstractBuildableEngineConfiguratio
     protected List<ResolverFactory> resolverFactories;
     protected Collection<ResolverFactory> preDefaultResolverFactories;
     protected Collection<ResolverFactory> postDefaultResolverFactories;
+    /**
+     * Flag to indicate whether the services should be enabled in the scripting engine. This is set to true by default.
+     * If set to false, then services like cmmnTaskService, cmmnRuntimeService, etc. will not be available in the scripting engine.
+     */
+    protected boolean servicesEnabledInScripting = true;
 
     /**
      * Using field injection together with a delegate expression for a service task / execution listener / task listener is not thread-sade , see user guide section 'Field Injection' for more
@@ -4296,6 +4301,15 @@ public CmmnEngineConfiguration addPostDefaultResolverFactory(ResolverFactory res
         return this;
     }
 
+    public boolean isServicesEnabledInScripting() {
+        return servicesEnabledInScripting;
+    }
+
+    public CmmnEngineConfiguration setServicesEnabledInScripting(boolean servicesEnabledInScripting) {
+        this.servicesEnabledInScripting = servicesEnabledInScripting;
+        return this;
+    }
+
     public void resetClock() {
         if (this.clock != null) {
             clock.reset();

modules/flowable-cmmn-engine/src/main/java/org/flowable/cmmn/engine/impl/scripting/CmmnVariableScopeResolver.java

@@ -12,9 +12,9 @@
  */
 package org.flowable.cmmn.engine.impl.scripting;
 
-import java.util.Arrays;
-import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
+import java.util.function.Function;
 
 import org.apache.commons.lang3.StringUtils;
 import org.flowable.cmmn.api.runtime.CaseInstance;
@@ -35,35 +35,28 @@
  */
 public class CmmnVariableScopeResolver implements Resolver {
 
-    protected static final String ENGINE_CONFIG_KEY = "engineConfiguration";
-    protected static final String CMMN_ENGINE_CONFIG_KEY = "cmmnEngineConfiguration";
-
-    protected static final String RUNTIME__SERVICE_KEY = "runtimeService";
-    protected static final String CMMN_RUNTIME__SERVICE_KEY = "cmmnRuntimeService";
-
-    protected static final String HISTORY_SERVICE_KEY = "historyService";
-    protected static final String CMMN_HISTORY_SERVICE_KEY = "cmmnHistoryService";
-
-    protected static final String MANAGEMENT_SERVICE_KEY = "managementService";
-    protected static final String CMMN_MANAGEMENT_SERVICE_KEY = "cmmnManagementService";
-
-    protected static final String TASK_SERVICE_KEY = "taskService";
-    protected static final String CMMN_TASK_SERVICE_KEY = "cmmnTaskService";
-
     protected static final String CASE_INSTANCE_KEY = "caseInstance";
     protected static final String PLAN_ITEM_INSTANCE_KEY = "planItemInstance";
     protected static final String TASK_KEY = "task";
 
-    protected static final Set<String> KEYS = new HashSet<>(Arrays.asList(
-        ENGINE_CONFIG_KEY, CMMN_ENGINE_CONFIG_KEY,
-        RUNTIME__SERVICE_KEY, CMMN_RUNTIME__SERVICE_KEY,
-        HISTORY_SERVICE_KEY, CMMN_HISTORY_SERVICE_KEY,
-        MANAGEMENT_SERVICE_KEY, CMMN_MANAGEMENT_SERVICE_KEY,
-        TASK_SERVICE_KEY, CMMN_TASK_SERVICE_KEY,
+    protected static final Map<String, Function<CmmnEngineConfiguration, ?>> SERVICE_RESOLVERS = Map.of(
+            "engineConfiguration", Function.identity(),
+            "cmmnEngineConfiguration", Function.identity(),
+            "runtimeService", CmmnEngineConfiguration::getCmmnRuntimeService,
+            "cmmnRuntimeService", CmmnEngineConfiguration::getCmmnRuntimeService,
+            "historyService", CmmnEngineConfiguration::getCmmnHistoryService,
+            "cmmnHistoryService", CmmnEngineConfiguration::getCmmnHistoryService,
+            "managementService", CmmnEngineConfiguration::getCmmnManagementService,
+            "cmmnManagementService", CmmnEngineConfiguration::getCmmnManagementService,
+            "taskService", CmmnEngineConfiguration::getCmmnTaskService,
+            "cmmnTaskService", CmmnEngineConfiguration::getCmmnTaskService
+    );
+
+    protected static final Set<String> KEYS = Set.of(
         CASE_INSTANCE_KEY,
         PLAN_ITEM_INSTANCE_KEY,
         TASK_KEY
-    ));
+    );
 
     protected CmmnEngineConfiguration engineConfiguration;
     protected VariableContainer scopeContainer;
@@ -81,26 +74,18 @@ public CmmnVariableScopeResolver(CmmnEngineConfiguration engineConfiguration, Va
 
     @Override
     public boolean containsKey(Object key) {
-        return inputVariableContainer.hasVariable((String) key) || KEYS.contains(key);
+        return inputVariableContainer.hasVariable((String) key) || KEYS.contains(key)
+                || SERVICE_RESOLVERS.containsKey(key) && engineConfiguration.isServicesEnabledInScripting();
     }
 
     @Override
     public Object get(Object key) {
-        if (ENGINE_CONFIG_KEY.equals(key) || CMMN_ENGINE_CONFIG_KEY.equals(key)) {
-            return engineConfiguration;
-
-        } else if (RUNTIME__SERVICE_KEY.equals(key) || CMMN_RUNTIME__SERVICE_KEY.equals(key)) {
-            return engineConfiguration.getCmmnRuntimeService();
-
-        } else if (HISTORY_SERVICE_KEY.equals(key) || CMMN_HISTORY_SERVICE_KEY.equals(key)) {
-            return engineConfiguration.getCmmnHistoryService();
-
-        } else if (MANAGEMENT_SERVICE_KEY.equals(key) || CMMN_MANAGEMENT_SERVICE_KEY.equals(key)) {
-            return engineConfiguration.getCmmnManagementService();
-
-        } else if (TASK_SERVICE_KEY.equals(key) || CMMN_TASK_SERVICE_KEY.equals(key)) {
-            return engineConfiguration.getCmmnTaskService();
-
+        if (SERVICE_RESOLVERS.containsKey((String) key)) {
+            if (engineConfiguration.isServicesEnabledInScripting()) {
+                return SERVICE_RESOLVERS.get(key).apply(engineConfiguration);
+            } else {
+                throw new FlowableException("The service '" + key + "' is not available in the current context. Please enable services in scripting.");
+            }
         } else if (CASE_INSTANCE_KEY.equals(key)) {
             if (scopeContainer instanceof CaseInstance) {
                 return scopeContainer;

modules/flowable-engine/src/main/java/org/flowable/engine/impl/cfg/ProcessEngineConfigurationImpl.java

@@ -740,6 +740,11 @@ public abstract class ProcessEngineConfigurationImpl extends ProcessEngineConfig
     protected List<ResolverFactory> resolverFactories;
     protected Collection<ResolverFactory> preDefaultResolverFactories;
     protected Collection<ResolverFactory> postDefaultResolverFactories;
+    /**
+     * Flag to indicate whether the services should be enabled in the scripting engine. This is set to true by default.
+     * If set to false, then services like cmmnTaskService, cmmnRuntimeService, etc. will not be available in the scripting engine.
+     */
+    protected boolean servicesEnabledInScripting = true;
     // END SCRIPTING
     protected boolean isExpressionCacheEnabled = true;
     protected int expressionCacheSize = 4096;
@@ -3688,6 +3693,15 @@ public ProcessEngineConfigurationImpl addPostDefaultResolverFactory(ResolverFact
         return this;
     }
 
+    public boolean isServicesEnabledInScripting() {
+        return servicesEnabledInScripting;
+    }
+
+    public ProcessEngineConfigurationImpl setServicesEnabledInScripting(boolean servicesEnabledInScripting) {
+        this.servicesEnabledInScripting = servicesEnabledInScripting;
+        return this;
+    }
+
     public DeploymentManager getDeploymentManager() {
         return deploymentManager;
     }

modules/flowable-engine/src/main/java/org/flowable/engine/impl/scripting/VariableScopeResolver.java

@@ -12,14 +12,14 @@
  */
 package org.flowable.engine.impl.scripting;
 
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
+import java.util.Map;
+import java.util.function.Function;
 
 import org.flowable.common.engine.api.FlowableException;
 import org.flowable.common.engine.api.FlowableIllegalArgumentException;
 import org.flowable.common.engine.api.variable.VariableContainer;
 import org.flowable.common.engine.impl.scripting.Resolver;
+import org.flowable.engine.ProcessEngineConfiguration;
 import org.flowable.engine.impl.cfg.ProcessEngineConfigurationImpl;
 import org.flowable.engine.impl.persistence.entity.ExecutionEntity;
 import org.flowable.task.service.impl.persistence.entity.TaskEntity;
@@ -36,18 +36,16 @@ public class VariableScopeResolver implements Resolver {
 
     protected String variableScopeKey = "execution";
 
-    protected static final String processEngineConfigurationKey = "processEngineConfiguration";
-    protected static final String runtimeServiceKey = "runtimeService";
-    protected static final String taskServiceKey = "taskService";
-    protected static final String repositoryServiceKey = "repositoryService";
-    protected static final String managementServiceKey = "managementService";
-    protected static final String historyServiceKey = "historyService";
-    protected static final String formServiceKey = "formService";
-    protected static final String identityServiceKey = "identityServiceKey";
-
-    protected static final Set<String> KEYS = new HashSet<>(Arrays.asList(
-        processEngineConfigurationKey, runtimeServiceKey, taskServiceKey,
-        repositoryServiceKey, managementServiceKey, historyServiceKey, formServiceKey, identityServiceKey));
+    protected static final Map<String, Function<ProcessEngineConfiguration, ?>> SERVICE_RESOLVERS = Map.of(
+            "processEngineConfiguration", Function.identity(),
+            "runtimeService", ProcessEngineConfiguration::getRuntimeService,
+            "taskService", ProcessEngineConfiguration::getTaskService,
+            "repositoryService", ProcessEngineConfiguration::getRepositoryService,
+            "managementService", ProcessEngineConfiguration::getManagementService,
+            "historyService", ProcessEngineConfiguration::getHistoryService,
+            "formService", ProcessEngineConfiguration::getFormService,
+            "identityServiceKey", ProcessEngineConfiguration::getIdentityService
+    );
 
     public VariableScopeResolver(ProcessEngineConfigurationImpl processEngineConfiguration, VariableContainer scopeContainer,
             VariableContainer inputVariableContainer) {
@@ -70,29 +68,20 @@ public VariableScopeResolver(ProcessEngineConfigurationImpl processEngineConfigu
 
     @Override
     public boolean containsKey(Object key) {
-        return variableScopeKey.equals(key) || KEYS.contains(key) || inputVariableContainer.hasVariable((String) key);
+        return variableScopeKey.equals(key) || inputVariableContainer.hasVariable((String) key)
+                || SERVICE_RESOLVERS.containsKey(key) && processEngineConfiguration.isServicesEnabledInScripting();
     }
 
     @Override
     public Object get(Object key) {
         if (variableScopeKey.equals(key)) {
             return scopeContainer;
-        } else if (processEngineConfigurationKey.equals(key)) {
-            return processEngineConfiguration;
-        } else if (runtimeServiceKey.equals(key)) {
-            return processEngineConfiguration.getRuntimeService();
-        } else if (taskServiceKey.equals(key)) {
-            return processEngineConfiguration.getTaskService();
-        } else if (repositoryServiceKey.equals(key)) {
-            return processEngineConfiguration.getRepositoryService();
-        } else if (managementServiceKey.equals(key)) {
-            return processEngineConfiguration.getManagementService();
-        } else if (formServiceKey.equals(key)) {
-            return processEngineConfiguration.getFormService();
-        } else if (identityServiceKey.equals(key)) {
-            return processEngineConfiguration.getIdentityService();
-        } else if (historyServiceKey.equals(key)) {
-            return processEngineConfiguration.getHistoryService();
+        } else if (SERVICE_RESOLVERS.containsKey((String) key)) {
+            if (processEngineConfiguration.isServicesEnabledInScripting()) {
+                return SERVICE_RESOLVERS.get(key).apply(processEngineConfiguration);
+            } else {
+                throw new FlowableException("The service '" + key + "' is not available in the current context. Please enable services in scripting.");
+            }
         }
 
         return inputVariableContainer.getVariable((String) key);

modules/flowable-engine/src/test/java/org/flowable/examples/bpmn/tasklistener/ScriptTaskListenerTest.java

@@ -18,6 +18,7 @@
 import org.flowable.common.engine.api.FlowableException;
 import org.flowable.common.engine.api.FlowableIllegalArgumentException;
 import org.flowable.common.engine.impl.history.HistoryLevel;
+import org.flowable.common.engine.impl.scripting.FlowableScriptEvaluationException;
 import org.flowable.engine.impl.test.HistoryTestHelper;
 import org.flowable.engine.impl.test.PluggableFlowableTestCase;
 import org.flowable.engine.repository.ProcessDefinition;
@@ -56,6 +57,19 @@ public void testScriptTaskListener() {
         assertThat(foo).as("Could not find the 'foo' variable in variable scope").isEqualTo("FOO");
     }
 
+    @Test
+    @Deployment(resources = { "org/flowable/examples/bpmn/tasklistener/ScriptTaskListenerTest.bpmn20.xml" })
+    public void testScriptTaskListenerWithDisabledServicesInScript() {
+        try {
+            processEngineConfiguration.setServicesEnabledInScripting(false);
+            assertThatThrownBy(() -> runtimeService.startProcessInstanceByKey("scriptTaskListenerProcess"))
+                    .isInstanceOf(FlowableScriptEvaluationException.class)
+                    .hasMessageContaining("No such property: taskService");
+        } finally {
+            processEngineConfiguration.setServicesEnabledInScripting(true);
+        }
+    }
+
     @Test
     @Deployment
     public void testThrowFlowableIllegalArgumentException() {

modules/flowable-engine/src/test/java/org/flowable/examples/bpmn/tasklistener/TaskListenerTest.java

@@ -369,6 +369,19 @@ public void testTaskListenerTypeScript() {
         assertThat(task2ScriptListenerResult).as("Expected 'task2ScriptListenerResult' variable in variable scope").isEqualTo("usertask2ReturnVal");
     }
 
+    @Test
+    @Deployment(resources = { "org/flowable/examples/bpmn/tasklistener/TaskListenerTypeScript.bpmn20.xml" })
+    public void testTaskListenerTypeScriptWithDisabledServicesInScript() {
+        try {
+            processEngineConfiguration.setServicesEnabledInScripting(false);
+            assertThatThrownBy(() -> runtimeService.startProcessInstanceByKey("taskListenerTypeScriptProcess"))
+                    .isInstanceOf(FlowableScriptEvaluationException.class)
+                    .hasMessageContaining("No such property: taskService");
+        } finally {
+            processEngineConfiguration.setServicesEnabledInScripting(true);
+        }
+    }
+
     @Test
     @Deployment(resources = { "org/flowable/examples/bpmn/tasklistener/TaskListenerTest.throwBpmnErrorCatchEventSubProcess.bpmn20.xml" })
     public void testTaskListenerThrowBpmnErrorCreate() {