Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-8135

SecureASTCustomizer whitelist does not work

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4.8
    • Fix Version/s: 2.4.12
    • Component/s: None
    • Labels:
      None
    • Flags:
      Important

      Description

      The example [1] throws a SecurityException[2]

      Details

      1. Source code

      SecureASTCustomizer customizer = new SecureASTCustomizer();
      customizer.setIndirectImportCheckEnabled(true);

      List<String> starImportsWhitelist = new ArrayList<String>();
      starImportsWhitelist.add("java.lang");
      customizer.setStarImportsWhitelist(starImportsWhitelist);

      CompilerConfiguration cc = new CompilerConfiguration();
      cc.addCompilationCustomizers(customizer);

      ClassLoader parent = getClass().getClassLoader();
      GroovyClassLoader loader = new GroovyClassLoader(parent, cc);

      loader.parseClass("Object[] array = new Object[0]; array.size()");

      2. Exception
      Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is not allowed
      at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608)
      at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121)
      at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702)

        Issue Links

          Activity

          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user armsargis opened a pull request:

          https://github.com/apache/groovy/pull/538

          GROOVY-8135: SecureASTCustomizer whitelist does not work

          For arrays we should get componentType instead of type

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/armsargis/groovy GROOVY-8135

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/groovy/pull/538.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #538


          commit db11e31730d108510324e09ff02c052f416eaa0d
          Author: Sargis Harutyunyan <sargis.harutyunyan@webbfontaine.com>
          Date: 2017-05-06T19:34:42Z

          GROOVY-8135: SecureASTCustomizer whitelist does not work

          For arrays we should get componentType instead of type

          commit e852b9782c6dd5a00b98a590cee63567a6a72a27
          Author: Sargis Harutyunyan <sargis.harutyunyan@webbfontaine.com>
          Date: 2017-05-06T19:39:42Z

          Merge branch 'master' into GROOVY-8135


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user armsargis opened a pull request: https://github.com/apache/groovy/pull/538 GROOVY-8135 : SecureASTCustomizer whitelist does not work For arrays we should get componentType instead of type You can merge this pull request into a Git repository by running: $ git pull https://github.com/armsargis/groovy GROOVY-8135 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/groovy/pull/538.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #538 commit db11e31730d108510324e09ff02c052f416eaa0d Author: Sargis Harutyunyan <sargis.harutyunyan@webbfontaine.com> Date: 2017-05-06T19:34:42Z GROOVY-8135 : SecureASTCustomizer whitelist does not work For arrays we should get componentType instead of type commit e852b9782c6dd5a00b98a590cee63567a6a72a27 Author: Sargis Harutyunyan <sargis.harutyunyan@webbfontaine.com> Date: 2017-05-06T19:39:42Z Merge branch 'master' into GROOVY-8135
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/groovy/pull/538

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/groovy/pull/538
          Hide
          jwagenleitner John Wagenleitner added a comment -

          Thanks for reporting the issue.

          Show
          jwagenleitner John Wagenleitner added a comment - Thanks for reporting the issue.
          Hide
          rivanov Radoslav Ivanov added a comment -

          Thanks.

          Show
          rivanov Radoslav Ivanov added a comment - Thanks.

            People

            • Assignee:
              jwagenleitner John Wagenleitner
              Reporter:
              rivanov Radoslav Ivanov
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development