Secure Scripting: Script task completion issue

Hello!

Let me start by saying thank you for implementing the secure scripting feature which is essential for us since we use your engine in a multi tenant application where users of each tenant can create and execute their own process models.

In my tests the feature itself worked fine, scripts that are not allowed due to configuration are not executed. However, when the feature is enabled my (allowed) script tasks are executed but not completed anymore in v5.22.0. I edited one of your JUnit test cases to reflect this behaviour:

@Test
public void testUseExecutionAndVariables() {
deployProcessDefinition(“test-secure-script-use-variableScope-and-vars.bpmn20.xml”);

addWhiteListedClass("java.lang.Integer");
addWhiteListedClass("org.activiti.engine.impl.persistence.entity.ExecutionEntity");

Map<String, Object> vars = new HashMap<String, Object>();
vars.put("a", 123);
vars.put("b", 456);
ProcessInstance processInstance = runtimeService.startProcessInstanceByKey("useExecutionAndVars", vars);

Object c = runtimeService.getVariable(processInstance.getId(), "c");
Assert.assertTrue(c instanceof Number);
Number cNumber = (Number) c;
Assert.assertEquals(579, cNumber.intValue());

List<Task> tasks = taskService.createTaskQuery().processInstanceId(processInstance.getId()).list();
Assert.assertEquals(1, tasks.size());

}

The process consists of start event -> script task -> user task -> end event. Therefore, when the script task completes the user task should exist. This works when I remove the SecureJavaScriptConfigurator, if it is enabled the user task is never reached.

Hi,

Can you share your script task BPMN element as well?
Do you see any stack traces?

Best regards,

Tijs

Its the one you use in your JUnit tests, I just added the last two lines in the test case in org.flowable.test.scripting.secure.SecureScriptingTest.

I did not see any stack trace in the logs.

I would like to bump this again, since this feature is important for us and I believe the behaviour to be a bug in the implementation (and I am kinda lost investigating the cause).

Hi,

Thanks for pinging. You are correct that the implementation had a bug. This is now fixed on the Flowable 6 master and flowable5 branch.

Thanks,

Tijs