From commits-return-10077-archive-asf-public=cust-asf.ponee.io@groovy.apache.org Mon Dec 2 00:35:21 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 30BC718061A for ; Mon, 2 Dec 2019 01:35:21 +0100 (CET) Received: (qmail 8349 invoked by uid 500); 2 Dec 2019 00:35:20 -0000 Mailing-List: contact commits-help@groovy.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@groovy.apache.org Delivered-To: mailing list commits@groovy.apache.org Received: (qmail 8340 invoked by uid 99); 2 Dec 2019 00:35:20 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Dec 2019 00:35:20 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 33BE68B690; Mon, 2 Dec 2019 00:35:20 +0000 (UTC) Date: Mon, 02 Dec 2019 00:35:20 +0000 To: "commits@groovy.apache.org" Subject: [groovy] branch master updated: GROOVY-9318: add support for ** syntax in static star import white/black lists MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <157524692003.31074.15353444897026216167@gitbox.apache.org> From: emilles@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: groovy X-Git-Refname: refs/heads/master X-Git-Reftype: branch X-Git-Oldrev: bb52ea08a04966ffd18999acbdfa58cb81486864 X-Git-Newrev: 3b8c172a86184d13b9b06aeb1dcd43803080d857 X-Git-Rev: 3b8c172a86184d13b9b06aeb1dcd43803080d857 X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. emilles pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/groovy.git The following commit(s) were added to refs/heads/master by this push: new 3b8c172 GROOVY-9318: add support for ** syntax in static star import white/black lists 3b8c172 is described below commit 3b8c172a86184d13b9b06aeb1dcd43803080d857 Author: Martin Grofčík AuthorDate: Mon Dec 2 01:35:09 2019 +0100 GROOVY-9318: add support for ** syntax in static star import white/black lists --- .../control/customizers/SecureASTCustomizer.java | 8 +++-- .../customizers/SecureASTCustomizerTest.groovy | 34 ++++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java b/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java index 572d596..fe4622e 100644 --- a/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java +++ b/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java @@ -694,7 +694,9 @@ public class SecureASTCustomizer extends CompilationCustomizer { if (staticImportsWhitelist != null && !staticImportsWhitelist.contains(fqn)) { if (staticStarImportsWhitelist != null) { // we should now check if the import is in the star imports - if (!staticStarImportsWhitelist.contains(className + ".*")) { + String packageName = className.substring(0, className.lastIndexOf('.') + 1) + "*"; + if (!staticStarImportsWhitelist.contains(className + ".*") && + !staticStarImportsWhitelist.stream().filter(it -> it.endsWith(".")).anyMatch(packageName::startsWith)) { throw new SecurityException("Importing [" + fqn + "] is not allowed"); } } else { @@ -706,7 +708,9 @@ public class SecureASTCustomizer extends CompilationCustomizer { } // check that there's no star import blacklist if (staticStarImportsBlacklist != null) { - if (staticStarImportsBlacklist.contains(className + ".*")) { + String packageName = className.substring(0, className.lastIndexOf('.') + 1) + "*"; + if (staticStarImportsBlacklist.contains(className + ".*") || + staticStarImportsBlacklist.stream().filter(it -> it.endsWith(".")).anyMatch(packageName::startsWith)) { throw new SecurityException("Importing [" + fqn + "] is not allowed"); } } diff --git a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy index 2218f9b..ad645ae 100644 --- a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy +++ b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy @@ -415,6 +415,40 @@ final class SecureASTCustomizerTest { } @Test + void testStaticDoubleStarImportWhiteList() { + customizer.staticStarImportsWhitelist = ['java.lang.**'] + def shell = new GroovyShell(configuration) + shell.evaluate(''' + import static java.lang.Math.PI + import static java.lang.Math.cos + cos(PI) + ''') + assert hasSecurityException { + shell.evaluate(''' + import static java.util.Collections.* + sort([5,4,2]) + ''') + } + } + + @Test + void testStaticDoubleStarImportBlackList() { + customizer.staticStarImportsBlacklist = ['java.lang.**'] + def shell = new GroovyShell(configuration) + assert hasSecurityException { + shell.evaluate(''' + import static java.lang.Math.PI + import static java.lang.Math.cos + cos(PI) + ''') + } + shell.evaluate(''' + import static java.util.Collections.* + sort([5,4,2]) + ''') + } + + @Test void testIndirectStaticImport() { customizer.staticImportsWhitelist = ['java.lang.Math.PI'] customizer.indirectImportCheckEnabled = true