Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-5116

Groovy enforces the use of the the dangerous permission java.util.PropertyPermission "*" "read,write" when using a SecurityManager

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.8.3
    • Fix Version/s: None
    • Component/s: groovy-runtime
    • Labels:

      Description

      In several occurrences in the code, the system properties are accessed in this manner:

      groovy.grape.Grape.java

      private static boolean enableGrapes = Boolean.valueOf(System.getProperties().getProperty("groovy.grape.enable", "true"));
      

      The use of System.getProperties() forces the use of this permission in the SecurityManager:

       java.util.PropertyPermission "*" "read,write"

      This is not really desired in security sensitive environments. It is not possible to use more fine-grained permission declaration like e.g.:

       java.util.PropertyPermission "groovy.*" "read,write"

      This problem could be easily avoided by accessing the properties in this manner:

      private static boolean enableGrapes = Boolean.valueOf(System.getProperty("groovy.grape.enable", "true"));
      

      Without the use of System.getProperties() it is not mandatory to set the dangerous write permission on all system properties and more fine-grained security permissions like in the example could be used.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bwolff Benjamin Wolff
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: