groovy-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From emil...@apache.org
Subject [groovy] branch master updated: GROOVY-9318: add support for ** syntax in static star import white/black lists
Date Mon, 02 Dec 2019 00:35:20 GMT
This is an automated email from the ASF dual-hosted git repository.

emilles pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/groovy.git


The following commit(s) were added to refs/heads/master by this push:
     new 3b8c172  GROOVY-9318: add support for ** syntax in static star import white/black
lists
3b8c172 is described below

commit 3b8c172a86184d13b9b06aeb1dcd43803080d857
Author: Martin Grofčík <mgrofcik@gmail.com>
AuthorDate: Mon Dec 2 01:35:09 2019 +0100

    GROOVY-9318: add support for ** syntax in static star import white/black lists
---
 .../control/customizers/SecureASTCustomizer.java   |  8 +++--
 .../customizers/SecureASTCustomizerTest.groovy     | 34 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
b/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
index 572d596..fe4622e 100644
--- a/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
+++ b/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
@@ -694,7 +694,9 @@ public class SecureASTCustomizer extends CompilationCustomizer {
         if (staticImportsWhitelist != null && !staticImportsWhitelist.contains(fqn))
{
             if (staticStarImportsWhitelist != null) {
                 // we should now check if the import is in the star imports
-                if (!staticStarImportsWhitelist.contains(className + ".*")) {
+                String packageName = className.substring(0, className.lastIndexOf('.') +
1) + "*";
+                if (!staticStarImportsWhitelist.contains(className + ".*") &&
+                    !staticStarImportsWhitelist.stream().filter(it -> it.endsWith(".")).anyMatch(packageName::startsWith))
{
                     throw new SecurityException("Importing [" + fqn + "] is not allowed");
                 }
             } else {
@@ -706,7 +708,9 @@ public class SecureASTCustomizer extends CompilationCustomizer {
         }
         // check that there's no star import blacklist
         if (staticStarImportsBlacklist != null) {
-            if (staticStarImportsBlacklist.contains(className + ".*")) {
+            String packageName = className.substring(0, className.lastIndexOf('.') + 1) +
"*";
+            if (staticStarImportsBlacklist.contains(className + ".*") ||
+                staticStarImportsBlacklist.stream().filter(it -> it.endsWith(".")).anyMatch(packageName::startsWith))
{
                 throw new SecurityException("Importing [" + fqn + "] is not allowed");
             }
         }
diff --git a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
index 2218f9b..ad645ae 100644
--- a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
+++ b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
@@ -415,6 +415,40 @@ final class SecureASTCustomizerTest {
     }
 
     @Test
+    void testStaticDoubleStarImportWhiteList() {
+        customizer.staticStarImportsWhitelist = ['java.lang.**']
+        def shell = new GroovyShell(configuration)
+        shell.evaluate('''
+            import static java.lang.Math.PI
+            import static java.lang.Math.cos
+            cos(PI)
+        ''')
+        assert hasSecurityException {
+            shell.evaluate('''
+                import static java.util.Collections.*
+                sort([5,4,2])
+            ''')
+        }
+    }
+
+    @Test
+    void testStaticDoubleStarImportBlackList() {
+        customizer.staticStarImportsBlacklist = ['java.lang.**']
+        def shell = new GroovyShell(configuration)
+        assert hasSecurityException {
+            shell.evaluate('''
+                import static java.lang.Math.PI
+                import static java.lang.Math.cos
+                cos(PI)
+            ''')
+        }
+        shell.evaluate('''
+            import static java.util.Collections.*
+            sort([5,4,2])
+        ''')
+    }
+
+    @Test
     void testIndirectStaticImport() {
         customizer.staticImportsWhitelist = ['java.lang.Math.PI']
         customizer.indirectImportCheckEnabled = true


Mime
View raw message