You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "John Wagenleitner (JIRA)" <ji...@apache.org> on 2017/05/07 05:53:04 UTC
[jira] [Resolved] (GROOVY-8135) SecureASTCustomizer whitelist does
not work
[ https://issues.apache.org/jira/browse/GROOVY-8135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Wagenleitner resolved GROOVY-8135.
---------------------------------------
Resolution: Fixed
Assignee: John Wagenleitner
Fix Version/s: 2.4.12
Thanks for reporting the issue.
> SecureASTCustomizer whitelist does not work
> -------------------------------------------
>
> Key: GROOVY-8135
> URL: https://issues.apache.org/jira/browse/GROOVY-8135
> Project: Groovy
> Issue Type: Bug
> Affects Versions: 2.4.8
> Reporter: Radoslav Ivanov
> Assignee: John Wagenleitner
> Priority: Critical
> Fix For: 2.4.12
>
>
> The example [1] throws a SecurityException[2]
> Details
> 1. Source code
> SecureASTCustomizer customizer = new SecureASTCustomizer();
> customizer.setIndirectImportCheckEnabled(true);
>
> List<String> starImportsWhitelist = new ArrayList<String>();
> starImportsWhitelist.add("java.lang");
> customizer.setStarImportsWhitelist(starImportsWhitelist);
>
> CompilerConfiguration cc = new CompilerConfiguration();
> cc.addCompilationCustomizers(customizer);
>
> ClassLoader parent = getClass().getClassLoader();
> GroovyClassLoader loader = new GroovyClassLoader(parent, cc);
>
> loader.parseClass("Object[] array = new Object[0]; array.size()");
> 2. Exception
> Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is not allowed
> at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608)
> at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121)
> at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)