[GROOVY-4978] SecureASTCustomizer blacklist is ignored inside method body - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.8.1
Fix Version/s: 1.8.2, 1.9-beta-3
Component/s: Compiler
Labels:
None

Description

I'm trying to compile Groovy Scripts while rejecting calls to System.exit() by using using a SecureASTCustomizer like this:

final SecureASTCustomizer customizer = new SecureASTCustomizer();
customizer.setImportsBlacklist(asList("java.lang.System",
		"groovy.lang.GroovyShell", "groovy.lang.GroovyClassLoader"));
customizer.setIndirectImportCheckEnabled(true);

CompilerConfiguration configuration = new CompilerConfiguration();
configuration.addCompilationCustomizers(customizer);

ClassLoader parent = ScriptCompiler.class.getClassLoader();
GroovyClassLoader loader = new GroovyClassLoader(parent, configuration);

The following Script is blocked correctly and I get an exception during parseClass()

System.exit(1);

In the following script, System.exit() is called successfully:

def x() { System.exit(1) }
x()

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SecureScriptTest.java
16/Aug/11 10:29
1 kB
Carsten Mjartan

Activity

People

Assignee:: Cédric Champeau

Reporter:: Carsten Mjartan

Votes:: 1 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 16/Aug/11 10:27

Updated:: 07/Sep/11 14:13

Resolved:: 31/Aug/11 03:32