Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-4978

SecureASTCustomizer blacklist is ignored inside method body

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.1
    • Fix Version/s: 1.8.2, 1.9-beta-3
    • Component/s: Compiler
    • Labels:
      None

      Description

      I'm trying to compile Groovy Scripts while rejecting calls to System.exit() by using using a SecureASTCustomizer like this:

      final SecureASTCustomizer customizer = new SecureASTCustomizer();
      customizer.setImportsBlacklist(asList("java.lang.System",
      		"groovy.lang.GroovyShell", "groovy.lang.GroovyClassLoader"));
      customizer.setIndirectImportCheckEnabled(true);
      
      CompilerConfiguration configuration = new CompilerConfiguration();
      configuration.addCompilationCustomizers(customizer);
      
      ClassLoader parent = ScriptCompiler.class.getClassLoader();
      GroovyClassLoader loader = new GroovyClassLoader(parent, configuration);
      

      The following Script is blocked correctly and I get an exception during parseClass()

      System.exit(1);
      

      In the following script, System.exit() is called successfully:

      def x() { System.exit(1) }
      x()
      

        Attachments

          Activity

            People

            • Assignee:
              melix Cédric Champeau
              Reporter:
              cmj Carsten Mjartan
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: