[GROOVY-5277] SecureASTCustomizer doesn't check class methods - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.8.4, 1.8.5, 2.0-beta-2
Fix Version/s: 1.8.6, 2.0-beta-3
Component/s: GroovyScriptEngine
Labels:
None
Environment:
does not matter

Description

The "call" - method in SecureASTCustomzer doesn't check class methods content
Instead of

  BlockStatement bstmt = ast.getStatementBlock();
  bstmt.visit(new SecuringCodeVisitor());

should be:

 BlockStatement bstmt = ast.getStatementBlock();
        SecuringCodeVisitor visitor = new SecuringCodeVisitor();
        bstmt.visit(visitor);
        for (ClassNode clNode : ast.getClasses()) {
            for ( MethodNode methodNode : clNode.getMethods()) {
                if (methodNode.getCode() instanceof BlockStatement) {
                    BlockStatement blst = (BlockStatement) methodNode.getCode();
                    blst.visit(visitor);
                }
            }

Attachments

Activity

People

Assignee:: Cédric Champeau

Reporter:: Michael Raschkowski

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 02/Feb/12 10:16

Updated:: 12/Feb/12 04:03

Resolved:: 06/Feb/12 05:03