Let me start by saying thank you for implementing the secure scripting feature which is essential for us since we use your engine in a multi tenant application where users of each tenant can create and execute their own process models.
In my tests the feature itself worked fine, scripts that are not allowed due to configuration are not executed. However, when the feature is enabled my (allowed) script tasks are executed but not completed anymore in v5.22.0. I edited one of your JUnit test cases to reflect this behaviour:
@Test
public void testUseExecutionAndVariables() {
deployProcessDefinition(“test-secure-script-use-variableScope-and-vars.bpmn20.xml”);
addWhiteListedClass("java.lang.Integer");
addWhiteListedClass("org.activiti.engine.impl.persistence.entity.ExecutionEntity");
Map<String, Object> vars = new HashMap<String, Object>();
vars.put("a", 123);
vars.put("b", 456);
ProcessInstance processInstance = runtimeService.startProcessInstanceByKey("useExecutionAndVars", vars);
Object c = runtimeService.getVariable(processInstance.getId(), "c");
Assert.assertTrue(c instanceof Number);
Number cNumber = (Number) c;
Assert.assertEquals(579, cNumber.intValue());
List<Task> tasks = taskService.createTaskQuery().processInstanceId(processInstance.getId()).list();
Assert.assertEquals(1, tasks.size());
}
The process consists of start event -> script task -> user task -> end event. Therefore, when the script task completes the user task should exist. This works when I remove the SecureJavaScriptConfigurator, if it is enabled the user task is never reached.
I would like to bump this again, since this feature is important for us and I believe the behaviour to be a bug in the implementation (and I am kinda lost investigating the cause).