Groovy
  1. Groovy
  2. GROOVY-4978

SecureASTCustomizer blacklist is ignored inside method body

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.1
    • Fix Version/s: 1.8.2, 1.9-beta-3
    • Component/s: Compiler
    • Labels:
      None

      Description

      I'm trying to compile Groovy Scripts while rejecting calls to System.exit() by using using a SecureASTCustomizer like this:

      final SecureASTCustomizer customizer = new SecureASTCustomizer();
      customizer.setImportsBlacklist(asList("java.lang.System",
      		"groovy.lang.GroovyShell", "groovy.lang.GroovyClassLoader"));
      customizer.setIndirectImportCheckEnabled(true);
      
      CompilerConfiguration configuration = new CompilerConfiguration();
      configuration.addCompilationCustomizers(customizer);
      
      ClassLoader parent = ScriptCompiler.class.getClassLoader();
      GroovyClassLoader loader = new GroovyClassLoader(parent, configuration);
      

      The following Script is blocked correctly and I get an exception during parseClass()

      System.exit(1);
      

      In the following script, System.exit() is called successfully:

      def x() { System.exit(1) }
      x()
      

        Activity

        Hide
        Carsten Mjartan added a comment -

        Failing JUnit4 Test Case

        Show
        Carsten Mjartan added a comment - Failing JUnit4 Test Case
        Hide
        Cédric Champeau added a comment -

        I fixed this issue, but there are still problems regarding constructors because the AST transformation can't determine whether the constructor was handwritten or generated by the groovy compiler.

        Show
        Cédric Champeau added a comment - I fixed this issue, but there are still problems regarding constructors because the AST transformation can't determine whether the constructor was handwritten or generated by the groovy compiler.

          People

          • Assignee:
            Cédric Champeau
            Reporter:
            Carsten Mjartan
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development