Description
We are using a GSE with SecureASTCustomizer to restrict use of certain classes. In my experiment, it does not work with a very simple test case: some classes in the package "java.lang" simply circumvent the restriction even without the use of reflection.
Here's how I set it up:
I used both import whitelist and receive whilelist, they are the same and contains actaully just two classes: java.lang.Object and test.
final String[] WHITE_CLASSES = {"java.lang.Object", "test"}; List<java.lang.String> classWhiteList = new ArrayList<java.lang.String>(); classWhiteList.addAll(Arrays.asList(WHITE_CLASSES)); final SecureASTCustomizer secure = new SecureASTCustomizer(); secure.setIndirectImportCheckEnabled(true); secure.setImportsWhitelist(classWhiteList); secure.setReceiversWhiteList(classWhiteList); secure.setPackageAllowed(true); secure.setClosuresAllowed(true); secure.setMethodDefinitionAllowed(true); CompilerConfiguration cc = gse.getConfig(); cc.addCompilationCustomizers(secure);
I expect that the above setting will complain the use of "java.lang.Long" & "java.lang.System". Howerver, the following script runs without any problem.
java.lang.Long lo = 5.6; java.lang.System.out.println("run ");
When I went on to the following, it starts complaining the Math class.
java.lang.Long lo = 5.6; java.lang.System.out.println("run " + java.lang.Math.abs(lo));
I tried also java.lang.Thread, and it gets complained too. Is there any special exceptions to the whitelist?