This is an automated email from the ASF dual-hosted git repository.
paulk pushed a commit to branch GROOVY_4_0_X
in repository https://gitbox.apache.org/repos/asf/groovy.git
The following commit(s) were added to refs/heads/GROOVY_4_0_X by this push:
new 5e885847a7 GROOVY-11170: Fix edge cases for SecureASTCustomizer (test
cases)
5e885847a7 is described below
commit 5e885847a7cf051ee1a66bdb570fec7f30af9a64
Author: Paul King <pa...@asert.com.au>
AuthorDate: Sun Sep 10 11:32:59 2023 +1000
GROOVY-11170: Fix edge cases for SecureASTCustomizer (test cases)
---
.../customizers/SecureASTCustomizerTest.groovy | 85 ++++++++++++++++++++++
1 file changed, 85 insertions(+)
diff --git
a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
index befa5f0335..2d97443fa7 100644
---
a/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
+++
b/src/test/org/codehaus/groovy/control/customizers/SecureASTCustomizerTest.groovy
@@ -23,6 +23,7 @@ import org.codehaus.groovy.ast.expr.ConstantExpression
import org.codehaus.groovy.ast.expr.MethodCallExpression
import org.codehaus.groovy.control.CompilerConfiguration
import org.codehaus.groovy.control.MultipleCompilationErrorsException
+import org.codehaus.groovy.runtime.InvokerHelper
import org.codehaus.groovy.syntax.Types
import org.junit.Before
import org.junit.Test
@@ -534,6 +535,16 @@ final class SecureASTCustomizerTest {
1.plus(1)
}
''')
+ shell.evaluate('''
+ def main(args) {
+ 1.plus(1)
+ }
+ ''')
+ shell.evaluate('''
+ def run() {
+ 1.plus(1)
+ }
+ ''')
assert hasSecurityException {
shell.evaluate('''
static main(args) {
@@ -541,6 +552,20 @@ final class SecureASTCustomizerTest {
}
''')
}
+ assert hasSecurityException {
+ shell.evaluate('''
+ def main(args) {
+ "string".toUpperCase()
+ }
+ ''')
+ }
+ assert hasSecurityException {
+ shell.evaluate('''
+ def run() {
+ "string".toUpperCase()
+ }
+ ''')
+ }
assert hasSecurityException {
shell.evaluate('''
static main(args) {
@@ -561,6 +586,20 @@ final class SecureASTCustomizerTest {
}
}
''')
+ shell.evaluate('''
+ class Dummy {
+ def main(args) {
+ 1.plus(1)
+ }
+ }
+ ''')
+ shell.evaluate('''
+ class Dummy {
+ def run() {
+ 1.plus(1)
+ }
+ }
+ ''')
assert hasSecurityException {
shell.evaluate('''
class Dummy {
@@ -570,6 +609,24 @@ final class SecureASTCustomizerTest {
}
''')
}
+ assert hasSecurityException {
+ shell.evaluate('''
+ class Dummy {
+ def main(args) {
+ "string".toUpperCase()
+ }
+ }
+ ''')
+ }
+ assert hasSecurityException {
+ shell.evaluate('''
+ class Dummy {
+ def run() {
+ "string".toUpperCase()
+ }
+ }
+ ''')
+ }
assert hasSecurityException {
shell.evaluate('''
class Dummy {
@@ -592,6 +649,34 @@ final class SecureASTCustomizerTest {
}
}
+ @Test
+ void testDisallowedReceiversInvokerHelperEdgeCase() {
+ assert 'a,b' == InvokerHelper.invokeStaticMethod(String, 'join', [',',
['a', 'b']] as Object[])
+ customizer.disallowedReceiversClasses = [InvokerHelper]
+ def shell = new GroovyShell(configuration)
+ shell.evaluate('''
+ def run() {
+ assert 'a,b' == String.join(',', ['a', 'b'])
+ }
+ ''')
+ shell.evaluate('''
+ def main() {
+ assert 'a,b' == String.join(',', ['a', 'b'])
+ }
+ ''')
+ shell.evaluate('''
+ static main(args) {
+ assert 'a,b' == String.join(',', ['a', 'b'])
+ }
+ ''')
+ assert hasSecurityException {
+ shell.evaluate('''
+ import org.codehaus.groovy.runtime.InvokerHelper
+ InvokerHelper.invokeStaticMethod(String, 'join', [',', ['a',
'b']] as Object[])
+ ''')
+ }
+ }
+
@Test
void testAllowedReceiversWithStaticMethod() {
customizer.allowedReceiversClasses = [Integer.TYPE]
