You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tinkerpop.apache.org by ok...@apache.org on 2016/01/05 23:54:50 UTC
[18/50] incubator-tinkerpop git commit: Minor alteration to whitelist matching in sanboxing for scriptengine.

Minor alteration to whitelist matching in sanboxing for scriptengine.

Used a strict match function compared to groovy find.  Not sure why find wasn't working reliably - added some asserts to validate.


Project: http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/commit/bc41af3a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/tree/bc41af3a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/diff/bc41af3a

Branch: refs/heads/TINKERPOP-1033
Commit: bc41af3a11b6b94f2bfb250144872442033a8285
Parents: 96e7cbd
Author: Stephen Mallette <sp...@genoprime.com>
Authored: Tue Dec 22 15:30:03 2015 -0500
Committer: Stephen Mallette <sp...@genoprime.com>
Committed: Tue Dec 22 15:30:03 2015 -0500

----------------------------------------------------------------------
 ...remlinGroovyScriptEngineFileSandboxTest.java |  9 ++++-
 .../gremlin/groovy/jsr223/sandbox.yaml          | 42 +++++++++++---------
 .../customizer/AbstractSandboxExtension.groovy  |  2 +-
 .../PropertyExpressionEvaluator.groovy          |  2 +-
 .../customizer/TinkerPopSandboxExtension.groovy |  2 +-
 5 files changed, 34 insertions(+), 23 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/blob/bc41af3a/gremlin-groovy-test/src/main/java/org/apache/tinkerpop/gremlin/groovy/jsr223/GremlinGroovyScriptEngineFileSandboxTest.java
----------------------------------------------------------------------
diff --git a/gremlin-groovy-test/src/main/java/org/apache/tinkerpop/gremlin/groovy/jsr223/GremlinGroovyScriptEngineFileSandboxTest.java b/gremlin-groovy-test/src/main/java/org/apache/tinkerpop/gremlin/groovy/jsr223/GremlinGroovyScriptEngineFileSandboxTest.java
index 6bfd2de..89aba64 100644
--- a/gremlin-groovy-test/src/main/java/org/apache/tinkerpop/gremlin/groovy/jsr223/GremlinGroovyScriptEngineFileSandboxTest.java
+++ b/gremlin-groovy-test/src/main/java/org/apache/tinkerpop/gremlin/groovy/jsr223/GremlinGroovyScriptEngineFileSandboxTest.java
@@ -25,6 +25,7 @@ import org.apache.tinkerpop.gremlin.groovy.CompilerCustomizerProvider;
 import org.apache.tinkerpop.gremlin.groovy.jsr223.customizer.CompileStaticCustomizerProvider;
 import org.apache.tinkerpop.gremlin.groovy.jsr223.customizer.FileSandboxExtension;
 import org.codehaus.groovy.control.MultipleCompilationErrorsException;
+import org.hamcrest.MatcherAssert;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -36,6 +37,7 @@ import java.util.Arrays;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.greaterThan;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.fail;
@@ -60,6 +62,8 @@ public class GremlinGroovyScriptEngineFileSandboxTest extends AbstractGremlinTes
         final CompilerCustomizerProvider standardSandbox = new CompileStaticCustomizerProvider(FileSandboxExtension.class.getName());
         try (GremlinGroovyScriptEngine engine = new GremlinGroovyScriptEngine(standardSandbox)) {
             assertEquals(123, engine.eval("java.lang.Math.abs(-123)"));
+            assertThat(engine.eval("new Boolean(true)"), is(true));
+            assertThat(engine.eval("new Boolean(true).toString()"), is("true"));
         }
     }
 
@@ -72,9 +76,12 @@ public class GremlinGroovyScriptEngineFileSandboxTest extends AbstractGremlinTes
     }
 
     @Test
-    public void shouldPreventMaliciousStuffWithSystem() throws Exception {
+    public void shouldPreventMaliciousStuffWithSystemButAllowSomeMethodsOnSystem() throws Exception {
         final CompilerCustomizerProvider standardSandbox = new CompileStaticCustomizerProvider(FileSandboxExtension.class.getName());
         try (GremlinGroovyScriptEngine engine = new GremlinGroovyScriptEngine(standardSandbox)) {
+            assertThat((long) engine.eval("System.currentTimeMillis()"), greaterThan(0l));
+            assertThat((long) engine.eval("System.nanoTime()"), greaterThan(0l));
+
             engine.eval("System.exit(0)");
             fail("Should have a compile error because class/method is not white listed");
         } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/blob/bc41af3a/gremlin-groovy-test/src/main/resources/org/apache/tinkerpop/gremlin/groovy/jsr223/sandbox.yaml
----------------------------------------------------------------------
diff --git a/gremlin-groovy-test/src/main/resources/org/apache/tinkerpop/gremlin/groovy/jsr223/sandbox.yaml b/gremlin-groovy-test/src/main/resources/org/apache/tinkerpop/gremlin/groovy/jsr223/sandbox.yaml
index 8ee6a87..b2b7f67 100644
--- a/gremlin-groovy-test/src/main/resources/org/apache/tinkerpop/gremlin/groovy/jsr223/sandbox.yaml
+++ b/gremlin-groovy-test/src/main/resources/org/apache/tinkerpop/gremlin/groovy/jsr223/sandbox.yaml
@@ -19,25 +19,29 @@
 
 autoTypeUnknown: true
 methodWhiteList:
-  - java\.lang\.Boolean
-  - java\.lang\.Byte
-  - java\.lang\.Character
-  - java\.lang\.Double
-  - java\.lang\.Enum
-  - java\.lang\.Float
-  - java\.lang\.Integer
-  - java\.lang\.Long
-  - java\.lang\.Math
-  - java\.lang\.Number
-  - java\.lang\.Object
-  - java\.lang\.Short
-  - java\.lang\.String
-  - java\.lang\.StringBuffer
-  - java\.lang\.Throwable
-  - java\.lang\.Void
+  - java\.lang\.Boolean.*
+  - java\.lang\.Byte.*
+  - java\.lang\.Character.*
+  - java\.lang\.Double.*
+  - java\.lang\.Enum.*
+  - java\.lang\.Float.*
+  - java\.lang\.Integer.*
+  - java\.lang\.Long.*
+  - java\.lang\.Math.*
+  - java\.lang\.Number.*
+  - java\.lang\.Object.*
+  - java\.lang\.Short.*
+  - java\.lang\.String.*
+  - java\.lang\.StringBuffer.*
+  - java\.lang\.System#currentTimeMillis\(\)
+  - java\.lang\.System#nanoTime\(\)
+  - java\.lang\.Throwable.*
+  - java\.lang\.Void.*
   - java\.util\..*
-  - org\.codehaus\.groovy\.runtime\.DefaultGroovyMethods
-  - org\.codehaus\.groovy\.runtime\.StringGroovyMethods
+  - org\.codehaus\.groovy\.runtime\.DefaultGroovyMethods.*
+  - org\.codehaus\.groovy\.runtime\.InvokerHelper#runScript\(java\.lang\.Class,java\.lang\.String\[\]\)
+  - org\.codehaus\.groovy\.runtime\.StringGroovyMethods.*
+  - groovy\.lang\.Script#<init>\(groovy.lang.Binding\)
   - org\.apache\.tinkerpop\.gremlin\.structure\..*
   - org\.apache\.tinkerpop\.gremlin\.process\..*
   - org\.apache\.tinkerpop\.gremlin\.process\.computer\..*
@@ -48,7 +52,7 @@ methodWhiteList:
   - org\.apache\.tinkerpop\.gremlin\.process\.traversal\..*
   - org\.apache\.tinkerpop\.gremlin\.process\.traversal\.dsl\.graph\..*
   - org\.apache\.tinkerpop\.gremlin\.process\.traversal\.engine\..*
-  - org\.apache\.tinkerpop\.gremlin\.server\.util\.LifeCycleHook
+  - org\.apache\.tinkerpop\.gremlin\.server\.util\.LifeCycleHook.*
 staticVariableTypes:
   graph: org.apache.tinkerpop.gremlin.structure.Graph
   g: org.apache.tinkerpop.gremlin.process.traversal.dsl.graph.GraphTraversalSource
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/blob/bc41af3a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/AbstractSandboxExtension.groovy
----------------------------------------------------------------------
diff --git a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/AbstractSandboxExtension.groovy b/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/AbstractSandboxExtension.groovy
index babad14..699e250 100644
--- a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/AbstractSandboxExtension.groovy
+++ b/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/AbstractSandboxExtension.groovy
@@ -77,7 +77,7 @@ abstract class AbstractSandboxExtension extends GroovyTypeCheckingExtensionSuppo
         // evaluate methods to be sure they are on the whitelist
         onMethodSelection { expr, MethodNode methodNode ->
             def descriptor = SandboxHelper.toMethodDescriptor(methodNode)
-            if (!methodWhiteList.any { descriptor =~ it })
+            if (!methodWhiteList.any { descriptor ==~ it })
                 addStaticTypeError("Not authorized to call this method: $descriptor", expr)
         }
 

http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/blob/bc41af3a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/PropertyExpressionEvaluator.groovy
----------------------------------------------------------------------
diff --git a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/PropertyExpressionEvaluator.groovy b/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/PropertyExpressionEvaluator.groovy
index 577bef9..be00cba 100644
--- a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/PropertyExpressionEvaluator.groovy
+++ b/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/PropertyExpressionEvaluator.groovy
@@ -59,7 +59,7 @@ class PropertyExpressionEvaluator extends ClassCodeVisitorSupport {
                 owner = typeCheckingVisitor.inferComponentType(owner, ClassHelper.int_TYPE)
 
             def descriptor = "${SandboxHelper.prettyPrint(owner)}#${expression.propertyAsString}"
-            if (!methodWhiteList.any { descriptor =~ it })
+            if (!methodWhiteList.any { descriptor ==~ it })
                 dsl.addStaticTypeError("Not authorized to call this method: $descriptor", expression)
         }
     }

http://git-wip-us.apache.org/repos/asf/incubator-tinkerpop/blob/bc41af3a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/TinkerPopSandboxExtension.groovy
----------------------------------------------------------------------
diff --git a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/TinkerPopSandboxExtension.groovy b/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/TinkerPopSandboxExtension.groovy
index c418e4d..1be9c05 100644
--- a/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/TinkerPopSandboxExtension.groovy
+++ b/gremlin-groovy/src/main/groovy/org/apache/tinkerpop/gremlin/groovy/jsr223/customizer/TinkerPopSandboxExtension.groovy
@@ -32,7 +32,7 @@ import org.apache.tinkerpop.gremlin.structure.Graph
 class TinkerPopSandboxExtension extends AbstractSandboxExtension {
 
     private static final List<String> methodWhiteList = ["java\\.util\\..*",
-                                                         "org\\.codehaus\\.groovy\\.runtime\\.DefaultGroovyMethods",
+                                                         "org\\.codehaus\\.groovy\\.runtime\\.DefaultGroovyMethods.*",
                                                          "org\\.apache\\.tinkerpop\\.gremlin\\.structure\\..*",
                                                          "org\\.apache\\.tinkerpop\\.gremlin\\.process\\..*",
                                                          "org\\.apache\\.tinkerpop\\.gremlin\\.process\\.traversal\\.dsl\\.graph\\..*"]