Hi folks,
We are planning to add the ability to set system properties via the @GrabConfig annotation[1]. This will allow scripts which use @Grab to access an Ivy/Maven repo via a proxy (e.g. using system property http.proxyHost) or specify a trust certificate store (using the javax.net.ssl.keystore system property) or set other needed system properties. This will use System.setProperty under the covers[2], so a well-defined security mechanism is in place. We don't see this proposed feature as creating any additional security risk since you could just as easily add such system properties when invoking the JVM at the command-line or have System.setProperty lines in your script - the only difference in the latter case is the timing since @Grab does it's magic during class initialization and adds the grabbed jars to the classpath if needed, so the properties must be set before the script is run. While we don't believe this introduces any new risks, we thought we'd ask for wider feedback and see if anyone else perceives any possible security risk that we might not be aware of and allow us to modify the proposed approach[2] if needed to mitigate any such risks. Cheers, Paul. [1] https://issues.apache.org/jira/browse/GROOVY-7548 [2] https://github.com/apache/incubator-groovy/pull/83 --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
