You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Tim Biggin (JIRA)" <ji...@apache.org> on 2017/12/11 20:30:00 UTC
[jira] [Updated] (GROOVY-8413) Potential issue with
indirectImportCheckEnabled in SecureASTCustomizer
[ https://issues.apache.org/jira/browse/GROOVY-8413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Biggin updated GROOVY-8413:
-------------------------------
Description:
I have been attempting to use *SecureASTCustomizer* to secure Groovy scripts, but I've noticed a few odd things happening within *SecureASTCustomizer*.
Problem 1)
Assume I have configured the *starImportsWhitelist* with an entry for +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*.
The following code snippet breaks:
{code}
import com.company.package.TestClass;
TestClass test = new TestClass();
test.toString();
{code}
It runs through *assertExpressionAuthorized(...)* and will fail in *assertStaticImportIsAllowed(...)* because +com.company.package.TestClass.toString()+ is not an allowed static import. This to me makes no sense, +test.toString()+ is 1) not a static call and 2) is not an indirect import because we have an instance of this object and a corresponding import for it.
Problem 2)
Assume I have configured the import star white list with an entry for +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*.
{code}
import com.company.package.TestClass;
TestClass.SomeStaticMethod();
{code}
When this code is run through *assertExpressionAuthorized(...)* it is passed in as a *MethodCallExpression* not a *StaticMethodCallExpression*, so even if I fix problem 1, I cannot tell the difference between method calls and static method calls.
was:
I have been attempting to use SecureASTCustomizer to secure Groovy scripts, but I've noticed a few odd things happening within SecureASTCustomizer.
Problem 1)
Assume I have configured the import star white list with an entry for 'com.company.package.*' and have set indirectImportCheckEnabled to true.
The following code snippet breaks:
{code}
import com.company.package.TestClass;
TestClass test = new TestClass();
test.toString();
{code}
Because it runs through assertExpressionAuthorized and will fail in assertStaticImportIsAllowed because com.company.package.TestClass.toString() is not an allowed static import. This to me makes no sense, test.toString() is 1) not a static call and 2) is not an indirect import because we have an instance of this object and a corresponding import for it.
Problem 2)
Assume I have configured the import star white list with an entry for 'com.company.package.*' and have set indirectImportCheckEnabled to true.
{code}
import com.company.package.TestClass;
TestClass.SomeStaticMethod();
{code}
When this code is run through assertExpressionAuthorized it is passed in as a MethodCallExpression not a StaticMethodCallExpression, so even if I fix problem 1, I cannot tell the difference between method calls and static method calls.
> Potential issue with indirectImportCheckEnabled in SecureASTCustomizer
> ----------------------------------------------------------------------
>
> Key: GROOVY-8413
> URL: https://issues.apache.org/jira/browse/GROOVY-8413
> Project: Groovy
> Issue Type: Bug
> Reporter: Tim Biggin
>
> I have been attempting to use *SecureASTCustomizer* to secure Groovy scripts, but I've noticed a few odd things happening within *SecureASTCustomizer*.
> Problem 1)
> Assume I have configured the *starImportsWhitelist* with an entry for +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*.
> The following code snippet breaks:
> {code}
> import com.company.package.TestClass;
> TestClass test = new TestClass();
> test.toString();
> {code}
> It runs through *assertExpressionAuthorized(...)* and will fail in *assertStaticImportIsAllowed(...)* because +com.company.package.TestClass.toString()+ is not an allowed static import. This to me makes no sense, +test.toString()+ is 1) not a static call and 2) is not an indirect import because we have an instance of this object and a corresponding import for it.
> Problem 2)
> Assume I have configured the import star white list with an entry for +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*.
> {code}
> import com.company.package.TestClass;
> TestClass.SomeStaticMethod();
> {code}
> When this code is run through *assertExpressionAuthorized(...)* it is passed in as a *MethodCallExpression* not a *StaticMethodCallExpression*, so even if I fix problem 1, I cannot tell the difference between method calls and static method calls.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)