You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@groovy.apache.org by su...@apache.org on 2019/12/02 10:39:15 UTC
[groovy] 01/04: GROOVY-9318: add support for ** syntax in static
star import white/black lists
This is an automated email from the ASF dual-hosted git repository.
sunlan pushed a commit to branch GROOVY_3_0_X
in repository https://gitbox.apache.org/repos/asf/groovy.git
commit d4ec7f0e336520d6b6c40ddbf690a1d6ff026eac
Author: Martin Grofčík <mg...@gmail.com>
AuthorDate: Mon Dec 2 01:35:09 2019 +0100
GROOVY-9318: add support for ** syntax in static star import white/black lists
(cherry picked from commit 3b8c172a86184d13b9b06aeb1dcd43803080d857)
---
.../control/customizers/SecureASTCustomizer.java | 8 +++--
.../customizers/SecureASTCustomizerTest.groovy | 34 ++++++++++++++++++++++
2 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java b/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
index 572d596..fe4622e 100644
--- a/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
+++ b/src/main/java/org/codehaus/groovy/control/customizers/SecureASTCustomizer.java
@@ -694,7 +694,9 @@ public class SecureASTCustomizer extends CompilationCustomizer {
if (staticImportsWhitelist != null && !staticImportsWhitelist.contains(fqn)) {
if (staticStarImportsWhitelist != null) {
// we should now check if the import is in the star imports
- if (!staticStarImportsWhitelist.contains(className + ".*")) {
+ String packageName = className.substring(0, className.lastIndexOf('.') + 1) + "*";
+ if (!staticStarImportsWhitelist.contains(className + ".*") &&
+ !staticStarImportsWhitelist.stream().filter(it -> it.endsWith(".")).anyMatch(packageName::startsWith)) {
throw new SecurityException("Importing [" + fqn + "] is not allowed");
}
} else {
@@ -706,7 +708,9 @@ public class SecureASTCustomizer extends CompilationCustomizer {
}
// check that there's no star import blacklist
if (staticStarImportsBlacklist != null) {
- if (staticStarImportsBlacklist.contains(className + ".*")) {
+ String packageName = className.substring(0, className.lastIndexOf('.') + 1) + "*";
+ if (staticStarImportsBlacklist.contains(className + ".*") ||
+ staticStarImportsBlacklist.stream().filter(it -> it.endsWith(".")).anyMatch(packageName::startsWith)) {
throw new SecurityException("Importing [" + fqn + "] is not allowed");
}
}
diff --git a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
index 2218f9b..ad645ae 100644
--- a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
+++ b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
@@ -415,6 +415,40 @@ final class SecureASTCustomizerTest {
}
@Test
+ void testStaticDoubleStarImportWhiteList() {
+ customizer.staticStarImportsWhitelist = ['java.lang.**']
+ def shell = new GroovyShell(configuration)
+ shell.evaluate('''
+ import static java.lang.Math.PI
+ import static java.lang.Math.cos
+ cos(PI)
+ ''')
+ assert hasSecurityException {
+ shell.evaluate('''
+ import static java.util.Collections.*
+ sort([5,4,2])
+ ''')
+ }
+ }
+
+ @Test
+ void testStaticDoubleStarImportBlackList() {
+ customizer.staticStarImportsBlacklist = ['java.lang.**']
+ def shell = new GroovyShell(configuration)
+ assert hasSecurityException {
+ shell.evaluate('''
+ import static java.lang.Math.PI
+ import static java.lang.Math.cos
+ cos(PI)
+ ''')
+ }
+ shell.evaluate('''
+ import static java.util.Collections.*
+ sort([5,4,2])
+ ''')
+ }
+
+ @Test
void testIndirectStaticImport() {
customizer.staticImportsWhitelist = ['java.lang.Math.PI']
customizer.indirectImportCheckEnabled = true