You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@groovy.apache.org by pa...@apache.org on 2017/05/10 22:26:47 UTC
[19/50] [abbrv] groovy git commit: GROOVY-8135: SecureASTCustomizer
whitelist does not work (closes #538)
GROOVY-8135: SecureASTCustomizer whitelist does not work (closes #538)
For arrays we should get componentType instead of type
Project: http://git-wip-us.apache.org/repos/asf/groovy/repo
Commit: http://git-wip-us.apache.org/repos/asf/groovy/commit/ce35457a
Tree: http://git-wip-us.apache.org/repos/asf/groovy/tree/ce35457a
Diff: http://git-wip-us.apache.org/repos/asf/groovy/diff/ce35457a
Branch: refs/heads/parrot
Commit: ce35457ae14be60b034b7d0fda69b4aed6f2e0a2
Parents: 518dca1
Author: Sargis Harutyunyan <sa...@webbfontaine.com>
Authored: Sat May 6 23:34:42 2017 +0400
Committer: paulk <pa...@asert.com.au>
Committed: Thu May 11 08:10:17 2017 +1000
----------------------------------------------------------------------
.../customizers/SecureASTCustomizer.java | 7 ++++++-
.../customizers/SecureASTCustomizerTest.groovy | 21 ++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/groovy/blob/ce35457a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
----------------------------------------------------------------------
diff --git a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java b/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
index b3d39f7..79b5455 100644
--- a/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
+++ b/src/main/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
@@ -698,7 +698,8 @@ public class SecureASTCustomizer extends CompilationCustomizer {
assertImportIsAllowed(expression.getType().getName());
} else if (expression instanceof MethodCallExpression) {
MethodCallExpression expr = (MethodCallExpression) expression;
- final String typename = expr.getObjectExpression().getType().getName();
+ ClassNode objectExpressionType = expr.getObjectExpression().getType();
+ final String typename = getExpressionType(objectExpressionType).getName();
assertImportIsAllowed(typename);
assertStaticImportIsAllowed(expr.getMethodAsString(), typename);
} else if (expression instanceof StaticMethodCallExpression) {
@@ -718,6 +719,10 @@ public class SecureASTCustomizer extends CompilationCustomizer {
}
}
+ private ClassNode getExpressionType(ClassNode objectExpressionType) {
+ return objectExpressionType.isArray() ? getExpressionType(objectExpressionType.getComponentType()) : objectExpressionType;
+ }
+
/**
* Checks that a given token is either in the whitelist or not in the blacklist.
*
http://git-wip-us.apache.org/repos/asf/groovy/blob/ce35457a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
----------------------------------------------------------------------
diff --git a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
index 56832ce..35ce09a 100644
--- a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
+++ b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
@@ -459,4 +459,25 @@ class SecureASTCustomizerTest extends GroovyTestCase {
'''
}
}
+
+ // GROOVY-8135
+ void testStarImportsWhiteListWithIndirectImportCheckEnabled() {
+ SecureASTCustomizer customizer = new SecureASTCustomizer()
+ customizer.setIndirectImportCheckEnabled(true)
+
+ List<String> starImportsWhitelist = new ArrayList<String>()
+ starImportsWhitelist.add("java.lang")
+ customizer.setStarImportsWhitelist(starImportsWhitelist)
+
+ CompilerConfiguration cc = new CompilerConfiguration()
+ cc.addCompilationCustomizers(customizer)
+
+ ClassLoader parent = getClass().getClassLoader()
+ GroovyClassLoader loader = new GroovyClassLoader(parent, cc)
+ loader.parseClass("Object object = new Object()")
+ loader.parseClass("Object object = new Object(); object.hashCode()")
+ loader.parseClass("Object[] array = new Object[0]; array.size()")
+ loader.parseClass("Object[][] array = new Object[0][0]; array.size()")
+ }
+
}