修复QLExpressEngineallowClassSet无效问题（issue#3994@Github）

Author: looly

CHANGELOG.md

@@ -12,6 +12,7 @@
 * 【extra  】      `Sftp``reconnectIfTimeout`方法改为捕获所有异常（issue#3989@Github）
 * 【core   】      修复`ChineseDate `闰年闰月节日获取问题（issue#ICL1BT@Gitee）
 * 【core   】      修复`TreeBuilder`append重复向idTreeMap中put问题（pr#3992@Github）
+* 【extra  】      修复`QLExpressEngine`allowClassSet无效问题（issue#3994@Github）
 
 -------------------------------------------------------------------------------------------------------------
 # 5.8.39(2025-06-20)

hutool-extra/src/main/java/cn/hutool/extra/expression/engine/qlexpress/QLExpressEngine.java

@@ -4,7 +4,10 @@
 import cn.hutool.extra.expression.ExpressionException;
 import com.ql.util.express.DefaultContext;
 import com.ql.util.express.ExpressRunner;
+import com.ql.util.express.config.QLExpressRunStrategy;
 
+import javax.naming.InitialContext;
+import java.lang.reflect.Method;
 import java.util.Collection;
 import java.util.Map;
 
@@ -24,10 +27,24 @@ public class QLExpressEngine implements ExpressionEngine {
 	 */
 	public QLExpressEngine() {
 		engine = new ExpressRunner();
+
+		// issue#3994@Github
+		// Enforce blacklisting of high-risk method invocations
+		QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+		// Explicitly forbid JNDI lookup calls through InitialContext
+		QLExpressRunStrategy.addSecurityRiskMethod(InitialContext.class, "doLookup");
 	}
 
 	@Override
 	public Object eval(final String expression, final Map<String, Object> context, Collection<Class<?>> allowClassSet) {
+		// issue#3994@Github
+		if (null != allowClassSet) {
+			for (Class<?> clazz : allowClassSet) {
+				for (Method method : clazz.getDeclaredMethods()) {
+					QLExpressRunStrategy.addSecureMethod(clazz, method.getName());
+				}
+			}
+		}
 		final DefaultContext<String, Object> defaultContext = new DefaultContext<>();
 		defaultContext.putAll(context);
 		try {