You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Dariusz Kowzan (Jira)" <ji...@apache.org> on 2021/07/26 16:16:00 UTC

[jira] [Updated] (GROOVY-10184) NPE in SecureASTCustomizer with indirectImportCheckEnabled

     [ https://issues.apache.org/jira/browse/GROOVY-10184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dariusz Kowzan updated GROOVY-10184:
------------------------------------
    Description: 
NPE is thrown by SecureASTCustomizer in this scenario:
{code:java}
SecureASTCustomizer customizer = new SecureASTCustomizer();
List<String> list = new ArrayList<>();
list.add("java.lang.*");
customizer.setAllowedStarImports(list);
customizer.setIndirectImportCheckEnabled(true);
CompilerConfiguration conf = new CompilerConfiguration();
conf.addCompilationCustomizers(customizer);
GroovyShell shell = new GroovyShell(conf);
shell.evaluate("def obj = new Object(); def method = \"hashcode\"; obj.\"${method}\"()");
{code}
This happens only with setIndirectImportCheckEnabled(true)

and object methods being invoked by obj."${method}"();

The stacktrace is:
{code:java}
Caused by: java.lang.NullPointerExceptionCaused by: java.lang.NullPointerException at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertStaticImportIsAllowed(SecureASTCustomizer.java:967) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$900(SecureASTCustomizer.java:184) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:1043) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitMethodCallExpression(SecureASTCustomizer.java:1197) at org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:68) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitExpressionStatement(SecureASTCustomizer.java:1123) at org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitBlockStatement(SecureASTCustomizer.java:1083) at org.codehaus.groovy.ast.stmt.BlockStatement.visit(BlockStatement.java:69) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.call(SecureASTCustomizer.java:893) at org.codehaus.groovy.control.CompilationUnit.applyToPrimaryClassNodes(CompilationUnit.java:1084) ... 88 more
{code}
 

 

  was:
NPE is thrown by SecureASTCustomizer in this scenario:
{code:java}
SecureASTCustomizer customizer = new SecureASTCustomizer();
List<String> list = new ArrayList<>();
list.add("java.lang.*");
customizer.setAllowedStarImports(list);
customizer.setIndirectImportCheckEnabled(true);
CompilerConfiguration conf = new CompilerConfiguration();
conf.addCompilationCustomizers(customizer);
GroovyShell shell = new GroovyShell(conf);
shell.evaluate("def obj = new Object(); def method = \"hashcode\"; obj.\"${method}\"()");
{code}
This happens only with setIndirectImportCheckEnabled(true)

and object methods being invoked by obj."${method}"();

The stacktrace is:
{noformat}
Caused by: java.lang.NullPointerExceptionCaused by: java.lang.NullPointerException at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertStaticImportIsAllowed(SecureASTCustomizer.java:967) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$900(SecureASTCustomizer.java:184) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:1043) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitMethodCallExpression(SecureASTCustomizer.java:1197) at org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:68) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitExpressionStatement(SecureASTCustomizer.java:1123) at org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitBlockStatement(SecureASTCustomizer.java:1083) at org.codehaus.groovy.ast.stmt.BlockStatement.visit(BlockStatement.java:69) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.call(SecureASTCustomizer.java:893) at org.codehaus.groovy.control.CompilationUnit.applyToPrimaryClassNodes(CompilationUnit.java:1084) ... 88 more{noformat}
 

 


> NPE in SecureASTCustomizer with indirectImportCheckEnabled
> ----------------------------------------------------------
>
>                 Key: GROOVY-10184
>                 URL: https://issues.apache.org/jira/browse/GROOVY-10184
>             Project: Groovy
>          Issue Type: Bug
>    Affects Versions: 2.5.13
>            Reporter: Dariusz Kowzan
>            Priority: Major
>
> NPE is thrown by SecureASTCustomizer in this scenario:
> {code:java}
> SecureASTCustomizer customizer = new SecureASTCustomizer();
> List<String> list = new ArrayList<>();
> list.add("java.lang.*");
> customizer.setAllowedStarImports(list);
> customizer.setIndirectImportCheckEnabled(true);
> CompilerConfiguration conf = new CompilerConfiguration();
> conf.addCompilationCustomizers(customizer);
> GroovyShell shell = new GroovyShell(conf);
> shell.evaluate("def obj = new Object(); def method = \"hashcode\"; obj.\"${method}\"()");
> {code}
> This happens only with setIndirectImportCheckEnabled(true)
> and object methods being invoked by obj."${method}"();
> The stacktrace is:
> {code:java}
> Caused by: java.lang.NullPointerExceptionCaused by: java.lang.NullPointerException at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertStaticImportIsAllowed(SecureASTCustomizer.java:967) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$900(SecureASTCustomizer.java:184) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:1043) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitMethodCallExpression(SecureASTCustomizer.java:1197) at org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:68) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitExpressionStatement(SecureASTCustomizer.java:1123) at org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitBlockStatement(SecureASTCustomizer.java:1083) at org.codehaus.groovy.ast.stmt.BlockStatement.visit(BlockStatement.java:69) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.call(SecureASTCustomizer.java:893) at org.codehaus.groovy.control.CompilationUnit.applyToPrimaryClassNodes(CompilationUnit.java:1084) ... 88 more
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)