You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Tim Biggin (JIRA)" <ji...@apache.org> on 2017/12/11 20:25:00 UTC
[jira] [Created] (GROOVY-8413) Potential issue with
indirectImportCheckEnabled in SecureASTCustomizer
Tim Biggin created GROOVY-8413:
----------------------------------
Summary: Potential issue with indirectImportCheckEnabled in SecureASTCustomizer
Key: GROOVY-8413
URL: https://issues.apache.org/jira/browse/GROOVY-8413
Project: Groovy
Issue Type: Bug
Reporter: Tim Biggin
I have been attempting to use SecureASTCustomizer to secure Groovy scripts, but I've noticed a few odd things happening within SecureASTCustomizer.
Problem 1)
Assume I have configured the import star white list with an entry for 'com.company.package.*' and have set indirectImportCheckEnabled to true.
The following code snippet breaks:
{code}
import com.company.package.TestClass;
TestClass test = new TestClass();
test.toString();
{code}
Because it runs through assertExpressionAuthorized and will fail in assertStaticImportIsAllowed because com.company.package.TestClass.toString() is not an allowed static import. This to me makes no sense, test.toString() is 1) not a static call and 2) is not an indirect import because we have an instance of this object and a corresponding import for it.
Problem 2)
Assume I have configured the import star white list with an entry for 'com.company.package.*' and have set indirectImportCheckEnabled to true.
{code}
import com.company.package.TestClass;
TestClass.SomeStaticMethod();
{code}
When this code is run through assertExpressionAuthorized it is passed in as a MethodCallExpression not a StaticMethodCallExpression, so even if I fix problem 1, I cannot tell the difference between method calls and static method calls.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)