Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-4978

SecureASTCustomizer blacklist is ignored inside method body

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.1
    • Fix Version/s: 1.8.2, 1.9-beta-3
    • Component/s: Compiler
    • Labels:
      None

      Description

      I'm trying to compile Groovy Scripts while rejecting calls to System.exit() by using using a SecureASTCustomizer like this:

      final SecureASTCustomizer customizer = new SecureASTCustomizer();
      customizer.setImportsBlacklist(asList("java.lang.System",
      		"groovy.lang.GroovyShell", "groovy.lang.GroovyClassLoader"));
      customizer.setIndirectImportCheckEnabled(true);
      
      CompilerConfiguration configuration = new CompilerConfiguration();
      configuration.addCompilationCustomizers(customizer);
      
      ClassLoader parent = ScriptCompiler.class.getClassLoader();
      GroovyClassLoader loader = new GroovyClassLoader(parent, configuration);
      

      The following Script is blocked correctly and I get an exception during parseClass()

      System.exit(1);
      

      In the following script, System.exit() is called successfully:

      def x() { System.exit(1) }
      x()
      

        Activity

        Hide
        melix Cédric Champeau added a comment -

        I fixed this issue, but there are still problems regarding constructors because the AST transformation can't determine whether the constructor was handwritten or generated by the groovy compiler.

        Show
        melix Cédric Champeau added a comment - I fixed this issue, but there are still problems regarding constructors because the AST transformation can't determine whether the constructor was handwritten or generated by the groovy compiler.
        Hide
        cmj Carsten Mjartan added a comment -

        Failing JUnit4 Test Case

        Show
        cmj Carsten Mjartan added a comment - Failing JUnit4 Test Case

          People

          • Assignee:
            melix Cédric Champeau
            Reporter:
            cmj Carsten Mjartan
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development