Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-8135

SecureASTCustomizer whitelist does not work

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4.8
    • Fix Version/s: 2.4.12
    • Component/s: None
    • Labels:
      None
    • Flags:
      Important

      Description

      The example [1] throws a SecurityException[2]

      Details

      1. Source code

      SecureASTCustomizer customizer = new SecureASTCustomizer();
      customizer.setIndirectImportCheckEnabled(true);

      List<String> starImportsWhitelist = new ArrayList<String>();
      starImportsWhitelist.add("java.lang");
      customizer.setStarImportsWhitelist(starImportsWhitelist);

      CompilerConfiguration cc = new CompilerConfiguration();
      cc.addCompilationCustomizers(customizer);

      ClassLoader parent = getClass().getClassLoader();
      GroovyClassLoader loader = new GroovyClassLoader(parent, cc);

      loader.parseClass("Object[] array = new Object[0]; array.size()");

      2. Exception
      Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is not allowed
      at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608)
      at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121)
      at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jwagenleitner John Wagenleitner
                Reporter:
                rivanov Radoslav Ivanov
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: