Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
2.4.8
-
None
-
None
-
Important
Description
The example [1] throws a SecurityException[2]
Details
1. Source code
SecureASTCustomizer customizer = new SecureASTCustomizer();
customizer.setIndirectImportCheckEnabled(true);
List<String> starImportsWhitelist = new ArrayList<String>();
starImportsWhitelist.add("java.lang");
customizer.setStarImportsWhitelist(starImportsWhitelist);
CompilerConfiguration cc = new CompilerConfiguration();
cc.addCompilationCustomizers(customizer);
ClassLoader parent = getClass().getClassLoader();
GroovyClassLoader loader = new GroovyClassLoader(parent, cc);
loader.parseClass("Object[] array = new Object[0]; array.size()");
2. Exception
Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is not allowed
at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608)
at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121)
at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702)
Attachments
Issue Links
- links to
