groovy-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwagenleit...@apache.org
Subject [1/2] groovy git commit: GROOVY-8135: SecureASTCustomizer whitelist does not work (closes #538)
Date Sun, 07 May 2017 05:01:10 GMT
Repository: groovy
Updated Branches:
  refs/heads/GROOVY_2_5_X c7b745b67 -> 0b3bc1fbd


GROOVY-8135: SecureASTCustomizer whitelist does not work (closes #538)

For arrays we should get componentType instead of type


Project: http://git-wip-us.apache.org/repos/asf/groovy/repo
Commit: http://git-wip-us.apache.org/repos/asf/groovy/commit/0b3bc1fb
Tree: http://git-wip-us.apache.org/repos/asf/groovy/tree/0b3bc1fb
Diff: http://git-wip-us.apache.org/repos/asf/groovy/diff/0b3bc1fb

Branch: refs/heads/GROOVY_2_5_X
Commit: 0b3bc1fbda38dcba41d5bf6ba61abbae840662a8
Parents: 8a02172
Author: Sargis Harutyunyan <sargis.harutyunyan@webbfontaine.com>
Authored: Sat May 6 23:34:42 2017 +0400
Committer: John Wagenleitner <jwagenleitner@apache.org>
Committed: Sat May 6 22:00:08 2017 -0700

----------------------------------------------------------------------
 .../customizers/SecureASTCustomizer.java        |  7 ++++++-
 .../customizers/SecureASTCustomizerTest.groovy  | 21 ++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/groovy/blob/0b3bc1fb/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
----------------------------------------------------------------------
diff --git a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java b/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
index b3d39f7..79b5455 100644
--- a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
+++ b/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
@@ -698,7 +698,8 @@ public class SecureASTCustomizer extends CompilationCustomizer {
                         assertImportIsAllowed(expression.getType().getName());
                     } else if (expression instanceof MethodCallExpression) {
                         MethodCallExpression expr = (MethodCallExpression) expression;
-                        final String typename = expr.getObjectExpression().getType().getName();
+                        ClassNode objectExpressionType = expr.getObjectExpression().getType();
+                        final String typename = getExpressionType(objectExpressionType).getName();
                         assertImportIsAllowed(typename);
                         assertStaticImportIsAllowed(expr.getMethodAsString(), typename);
                     } else if (expression instanceof StaticMethodCallExpression) {
@@ -718,6 +719,10 @@ public class SecureASTCustomizer extends CompilationCustomizer {
             }
         }
 
+        private ClassNode getExpressionType(ClassNode objectExpressionType) {
+            return objectExpressionType.isArray() ? getExpressionType(objectExpressionType.getComponentType())
: objectExpressionType;
+        }
+
         /**
          * Checks that a given token is either in the whitelist or not in the blacklist.
          *

http://git-wip-us.apache.org/repos/asf/groovy/blob/0b3bc1fb/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
----------------------------------------------------------------------
diff --git a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
index 56832ce..35ce09a 100644
--- a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
+++ b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
@@ -459,4 +459,25 @@ class SecureASTCustomizerTest extends GroovyTestCase {
             '''
         }
     }
+
+    // GROOVY-8135
+    void testStarImportsWhiteListWithIndirectImportCheckEnabled() {
+        SecureASTCustomizer customizer = new SecureASTCustomizer()
+        customizer.setIndirectImportCheckEnabled(true)
+
+        List<String> starImportsWhitelist = new ArrayList<String>()
+        starImportsWhitelist.add("java.lang")
+        customizer.setStarImportsWhitelist(starImportsWhitelist)
+
+        CompilerConfiguration cc = new CompilerConfiguration()
+        cc.addCompilationCustomizers(customizer)
+
+        ClassLoader parent = getClass().getClassLoader()
+        GroovyClassLoader loader = new GroovyClassLoader(parent, cc)
+        loader.parseClass("Object object = new Object()")
+        loader.parseClass("Object object = new Object(); object.hashCode()")
+        loader.parseClass("Object[] array = new Object[0]; array.size()")
+        loader.parseClass("Object[][] array = new Object[0][0]; array.size()")
+    }
+
 }


Mime
View raw message