From eabbd2fa32aa57ccfcca2b63ad8dd6453e19ca6c Mon Sep 17 00:00:00 2001
From: Anuken <arnukren@gmail.com>
Date: Wed, 27 Nov 2019 00:07:37 -0500
Subject: [PATCH] """security"""

---
 core/src/io/anuke/mindustry/mod/Scripts.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/src/io/anuke/mindustry/mod/Scripts.java b/core/src/io/anuke/mindustry/mod/Scripts.java
index 4de51215a0..f55a52571d 100644
--- a/core/src/io/anuke/mindustry/mod/Scripts.java
+++ b/core/src/io/anuke/mindustry/mod/Scripts.java
@@ -1,10 +1,12 @@
 package io.anuke.mindustry.mod;
 
+import io.anuke.arc.files.*;
 import org.graalvm.polyglot.*;
 
 public class Scripts{
     //TODO allowHostAccess(...) is obviously insecure
-    private Context context = Context.newBuilder("js").allowHostClassLookup(s -> s.startsWith("io.anuke.mindustry")).allowHostAccess(HostAccess.ALL).build();
+    private Context context = Context.newBuilder("js").allowHostClassLookup(s -> s.startsWith("io.anuke.mindustry"))
+        .allowHostAccess(HostAccess.newBuilder().allowPublicAccess(true).denyAccess(FileHandle.class).build()).build();
 
     public Scripts(){
         context.eval("js", "console.log(\"Initialized JS context.\")");