Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
1.8.4, 1.8.5, 2.0-beta-2
-
None
-
does not matter
Description
The "call" - method in SecureASTCustomzer doesn't check class methods content
Instead of
BlockStatement bstmt = ast.getStatementBlock();
bstmt.visit(new SecuringCodeVisitor());
should be:
BlockStatement bstmt = ast.getStatementBlock(); SecuringCodeVisitor visitor = new SecuringCodeVisitor(); bstmt.visit(visitor); for (ClassNode clNode : ast.getClasses()) { for ( MethodNode methodNode : clNode.getMethods()) { if (methodNode.getCode() instanceof BlockStatement) { BlockStatement blst = (BlockStatement) methodNode.getCode(); blst.visit(visitor); } }