groovy-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul King (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (GROOVY-8135) SecureASTCustomizer whitelist does not work
Date Tue, 06 Mar 2018 23:15:02 GMT

     [ https://issues.apache.org/jira/browse/GROOVY-8135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Paul King closed GROOVY-8135.
-----------------------------

> SecureASTCustomizer whitelist does not work
> -------------------------------------------
>
>                 Key: GROOVY-8135
>                 URL: https://issues.apache.org/jira/browse/GROOVY-8135
>             Project: Groovy
>          Issue Type: Bug
>    Affects Versions: 2.4.8
>            Reporter: Radoslav Ivanov
>            Assignee: John Wagenleitner
>            Priority: Critical
>             Fix For: 2.4.12
>
>
> The example [1] throws a SecurityException[2]
> Details
> 1. Source code
> SecureASTCustomizer customizer = new SecureASTCustomizer();
> customizer.setIndirectImportCheckEnabled(true);
>     	
> List<String> starImportsWhitelist = new ArrayList<String>();
> starImportsWhitelist.add("java.lang");
> customizer.setStarImportsWhitelist(starImportsWhitelist);
>     	
> CompilerConfiguration cc = new CompilerConfiguration();
> cc.addCompilationCustomizers(customizer);
> 		
> ClassLoader parent = getClass().getClassLoader();
> GroovyClassLoader loader = new GroovyClassLoader(parent, cc);
> 		
> loader.parseClass("Object[] array = new Object[0]; array.size()");	
> 2. Exception
> Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is not allowed
> 	at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608)
> 	at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121)
> 	at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message