[jira] [Commented] (GROOVY-8135) SecureASTCustomizer whitelist does not work

Sat, 06 May 2017 12:41:52 -0700 

    [ 
https://issues.apache.org/jira/browse/GROOVY-8135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999546#comment-15999546
 ] 

ASF GitHub Bot commented on GROOVY-8135:
----------------------------------------

GitHub user armsargis opened a pull request:

    https://github.com/apache/groovy/pull/538

    GROOVY-8135: SecureASTCustomizer whitelist does not work

    For arrays we should get componentType instead of type

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/armsargis/groovy GROOVY-8135

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/groovy/pull/538.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #538
    
----
commit db11e31730d108510324e09ff02c052f416eaa0d
Author: Sargis Harutyunyan <[email protected]>
Date:   2017-05-06T19:34:42Z

    GROOVY-8135: SecureASTCustomizer whitelist does not work
    
    For arrays we should get componentType instead of type

commit e852b9782c6dd5a00b98a590cee63567a6a72a27
Author: Sargis Harutyunyan <[email protected]>
Date:   2017-05-06T19:39:42Z

    Merge branch 'master' into GROOVY-8135

----


> SecureASTCustomizer whitelist does not work
> -------------------------------------------
>
>                 Key: GROOVY-8135
>                 URL: https://issues.apache.org/jira/browse/GROOVY-8135
>             Project: Groovy
>          Issue Type: Bug
>    Affects Versions: 2.4.8
>            Reporter: Radoslav Ivanov
>            Priority: Critical
>
> The example [1] throws a SecurityException[2]
> Details
> 1. Source code
> SecureASTCustomizer customizer = new SecureASTCustomizer();
> customizer.setIndirectImportCheckEnabled(true);
>       
> List<String> starImportsWhitelist = new ArrayList<String>();
> starImportsWhitelist.add("java.lang");
> customizer.setStarImportsWhitelist(starImportsWhitelist);
>       
> CompilerConfiguration cc = new CompilerConfiguration();
> cc.addCompilationCustomizers(customizer);
>               
> ClassLoader parent = getClass().getClassLoader();
> GroovyClassLoader loader = new GroovyClassLoader(parent, cc);
>               
> loader.parseClass("Object[] array = new Object[0]; array.size()");    
> 2. Exception
> Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is 
> not allowed
>       at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608)
>       at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121)
>       at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702)



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to