groovy-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwagenleit...@apache.org
Subject [2/2] groovy git commit: GROOVY-8135: SecureASTCustomizer whitelist does not work (closes #538)
Date Sun, 07 May 2017 04:56:52 GMT
GROOVY-8135: SecureASTCustomizer whitelist does not work (closes #538)

For arrays we should get componentType instead of type


Project: http://git-wip-us.apache.org/repos/asf/groovy/repo
Commit: http://git-wip-us.apache.org/repos/asf/groovy/commit/6b70bbc9
Tree: http://git-wip-us.apache.org/repos/asf/groovy/tree/6b70bbc9
Diff: http://git-wip-us.apache.org/repos/asf/groovy/diff/6b70bbc9

Branch: refs/heads/master
Commit: 6b70bbc940d2cf021877f6a3ef0b5cf5fb974ff3
Parents: 6edd614
Author: Sargis Harutyunyan <sargis.harutyunyan@webbfontaine.com>
Authored: Sat May 6 23:34:42 2017 +0400
Committer: John Wagenleitner <jwagenleitner@apache.org>
Committed: Sat May 6 20:48:05 2017 -0700

----------------------------------------------------------------------
 .../customizers/SecureASTCustomizer.java        |  7 ++++++-
 .../customizers/SecureASTCustomizerTest.groovy  | 21 ++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/groovy/blob/6b70bbc9/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
----------------------------------------------------------------------
diff --git a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java b/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
index b3d39f7..79b5455 100644
--- a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
+++ b/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
@@ -698,7 +698,8 @@ public class SecureASTCustomizer extends CompilationCustomizer {
                         assertImportIsAllowed(expression.getType().getName());
                     } else if (expression instanceof MethodCallExpression) {
                         MethodCallExpression expr = (MethodCallExpression) expression;
-                        final String typename = expr.getObjectExpression().getType().getName();
+                        ClassNode objectExpressionType = expr.getObjectExpression().getType();
+                        final String typename = getExpressionType(objectExpressionType).getName();
                         assertImportIsAllowed(typename);
                         assertStaticImportIsAllowed(expr.getMethodAsString(), typename);
                     } else if (expression instanceof StaticMethodCallExpression) {
@@ -718,6 +719,10 @@ public class SecureASTCustomizer extends CompilationCustomizer {
             }
         }
 
+        private ClassNode getExpressionType(ClassNode objectExpressionType) {
+            return objectExpressionType.isArray() ? getExpressionType(objectExpressionType.getComponentType())
: objectExpressionType;
+        }
+
         /**
          * Checks that a given token is either in the whitelist or not in the blacklist.
          *

http://git-wip-us.apache.org/repos/asf/groovy/blob/6b70bbc9/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
----------------------------------------------------------------------
diff --git a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
index 56832ce..35ce09a 100644
--- a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
+++ b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
@@ -459,4 +459,25 @@ class SecureASTCustomizerTest extends GroovyTestCase {
             '''
         }
     }
+
+    // GROOVY-8135
+    void testStarImportsWhiteListWithIndirectImportCheckEnabled() {
+        SecureASTCustomizer customizer = new SecureASTCustomizer()
+        customizer.setIndirectImportCheckEnabled(true)
+
+        List<String> starImportsWhitelist = new ArrayList<String>()
+        starImportsWhitelist.add("java.lang")
+        customizer.setStarImportsWhitelist(starImportsWhitelist)
+
+        CompilerConfiguration cc = new CompilerConfiguration()
+        cc.addCompilationCustomizers(customizer)
+
+        ClassLoader parent = getClass().getClassLoader()
+        GroovyClassLoader loader = new GroovyClassLoader(parent, cc)
+        loader.parseClass("Object object = new Object()")
+        loader.parseClass("Object object = new Object(); object.hashCode()")
+        loader.parseClass("Object[] array = new Object[0]; array.size()")
+        loader.parseClass("Object[][] array = new Object[0][0]; array.size()")
+    }
+
 }


Mime
View raw message