fix(TDI-48203): [CVE]: routines.system.JSONObject(Object bean) use reflect to call method invoke, that's dangerous for evil script inject (#5426)

main/plugins/org.talend.librariesmanager/resources/java/routines/system/JSONObject.java

@@ -243,10 +243,37 @@ public class JSONObject {
      * 
      * @param bean An object that has getter methods that should be used to make a JSONObject.
      */
+    @Deprecated
     public JSONObject(Object bean) {
         this();
         populateMap(bean);
     }
+    
+    /**
+     * Construct a JSONObject from an Object using bean getters. It reflects on all of the public methods of the object.
+     * For each of the methods with no parameters and a name starting with <code>"get"</code> or <code>"is"</code>
+     * followed by an uppercase letter, the method is invoked, and a key and the value returned from the getter method
+     * are put into the new JSONObject.
+     * 
+     * The key is formed by removing the <code>"get"</code> or <code>"is"</code> prefix. If the second remaining
+     * character is not upper case, then the first character is converted to lower case.
+     * 
+     * For example, if an object has a method named <code>"getName"</code>, and if the result of calling
+     * <code>object.getName()</code> is <code>"Larry Fine"</code>, then the JSONObject will contain
+     * <code>"name": "Larry Fine"</code>.
+     * 
+     * @param bean An object that has getter methods that should be used to make a JSONObject.
+     * @param expectedClass Bean must be the instance of this class, for safe to avoid evil script inject
+     */
+    public JSONObject(Object bean, Class<?> expectedClass) {
+        this();
+        
+        if(bean.getClass() != expectedClass) {
+            throw new JSONException("expectedClass doesn't match the bean or is null");
+        } 
+        
+        populateMap(bean);
+    }
 
     /**
      * Construct a JSONObject from an Object, using reflection to find the public members. The resulting JSONObject's