Do not expose non command argument fields to scripts

ROGUE-JCTD · Apr 28, 2014 · c70741b · c70741b
1 parent 2dd6c5c
commit c70741b
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/core/src/main/java/org/geogit/api/hooks/Scripting.java b/src/core/src/main/java/org/geogit/api/hooks/Scripting.java
@@ -12,6 +12,7 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -69,7 +70,8 @@ public static void runJVMScript(AbstractGeoGitOp<?> operation, File scriptFile)
             Map<String, Object> params = getParamMap(operation);
             engine.put(PARAMS, params);
             Repository repo = operation.command(ResolveRepository.class).call();
-            engine.put(GEOGIT, new GeoGitAPI(repo));
+            GeoGitAPI api = new GeoGitAPI(repo);
+            engine.put(GEOGIT, api);
             engine.eval(new FileReader(scriptFile));
             Object map = engine.get(PARAMS);
             setParamMap((Map<String, Object>) map, operation);
@@ -190,6 +192,11 @@ public static void setParamMap(Map<String, Object> map, AbstractGeoGitOp<?> oper
             Field[] fields = operation.getClass().getDeclaredFields();
             Set<String> keys = map.keySet();
             for (Field field : fields) {
+                final int modifiers = field.getModifiers();
+                if (field.isSynthetic() || Modifier.isStatic(modifiers)
+                        || Modifier.isFinal(modifiers)) {
+                    continue;
+                }
                 if (keys.contains(field.getName())) {
                     field.setAccessible(true);
                     field.set(operation, map.get(field.getName()));