[19/50] [abbrv] groovy git commit: GROOVY-8135: SecureASTCustomizer whitelist does not work (closes #538)

[pa...@apache.org]

GROOVY-8135: SecureASTCustomizer whitelist does not work (closes #538)

For arrays we should get componentType instead of type


Project: http://git-wip-us.apache.org/repos/asf/groovy/repo
Commit: http://git-wip-us.apache.org/repos/asf/groovy/commit/ce35457a
Tree: http://git-wip-us.apache.org/repos/asf/groovy/tree/ce35457a
Diff: http://git-wip-us.apache.org/repos/asf/groovy/diff/ce35457a

Branch: refs/heads/parrot
Commit: ce35457ae14be60b034b7d0fda69b4aed6f2e0a2
Parents: 518dca1
Author: Sargis Harutyunyan <sa...@webbfontaine.com>
Authored: Sat May 6 23:34:42 2017 +0400
Committer: paulk <pa...@asert.com.au>
Committed: Thu May 11 08:10:17 2017 +1000

----------------------------------------------------------------------
 .../customizers/SecureASTCustomizer.java        |  7 ++++++-
 .../customizers/SecureASTCustomizerTest.groovy  | 21 ++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/groovy/blob/ce35457a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
----------------------------------------------------------------------
diff --git a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java b/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
index b3d39f7..79b5455 100644
--- a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
+++ b/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
@@ -698,7 +698,8 @@ public class SecureASTCustomizer extends CompilationCustomizer {
                         assertImportIsAllowed(expression.getType().getName());
                     } else if (expression instanceof MethodCallExpression) {
                         MethodCallExpression expr = (MethodCallExpression) expression;
-                        final String typename = expr.getObjectExpression().getType().getName();
+                        ClassNode objectExpressionType = expr.getObjectExpression().getType();
+                        final String typename = getExpressionType(objectExpressionType).getName();
                         assertImportIsAllowed(typename);
                         assertStaticImportIsAllowed(expr.getMethodAsString(), typename);
                     } else if (expression instanceof StaticMethodCallExpression) {
@@ -718,6 +719,10 @@ public class SecureASTCustomizer extends CompilationCustomizer {
             }
         }
 
+        private ClassNode getExpressionType(ClassNode objectExpressionType) {
+            return objectExpressionType.isArray() ? getExpressionType(objectExpressionType.getComponentType()) : objectExpressionType;
+        }
+
         /**
          * Checks that a given token is either in the whitelist or not in the blacklist.
          *

http://git-wip-us.apache.org/repos/asf/groovy/blob/ce35457a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
----------------------------------------------------------------------
diff --git a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
index 56832ce..35ce09a 100644
--- a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
+++ b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
@@ -459,4 +459,25 @@ class SecureASTCustomizerTest extends GroovyTestCase {
             '''
         }
     }
+
+    // GROOVY-8135
+    void testStarImportsWhiteListWithIndirectImportCheckEnabled() {
+        SecureASTCustomizer customizer = new SecureASTCustomizer()
+        customizer.setIndirectImportCheckEnabled(true)
+
+        List<String> starImportsWhitelist = new ArrayList<String>()
+        starImportsWhitelist.add("java.lang")
+        customizer.setStarImportsWhitelist(starImportsWhitelist)
+
+        CompilerConfiguration cc = new CompilerConfiguration()
+        cc.addCompilationCustomizers(customizer)
+
+        ClassLoader parent = getClass().getClassLoader()
+        GroovyClassLoader loader = new GroovyClassLoader(parent, cc)
+        loader.parseClass("Object object = new Object()")
+        loader.parseClass("Object object = new Object(); object.hashCode()")
+        loader.parseClass("Object[] array = new Object[0]; array.size()")
+        loader.parseClass("Object[][] array = new Object[0][0]; array.size()")
+    }
+
 }