[
https://issues.apache.org/jira/browse/GROOVY-8413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Biggin updated GROOVY-8413:
-------------------------------
Description:
I have been attempting to use *SecureASTCustomizer* to secure Groovy scripts,
but I've noticed a few odd things happening within *SecureASTCustomizer*.
Problem 1)
Assume I have configured the *starImportsWhitelist* with an entry for
+com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*.
The following code snippet breaks:
{code}
import com.company.package.TestClass;
TestClass test = new TestClass();
test.toString();
{code}
It runs through *assertExpressionAuthorized(...)* and will fail in
*assertStaticImportIsAllowed(...)* because
+com.company.package.TestClass.toString()+ is not an allowed static import.
This to me makes no sense, +test.toString()+ is 1) not a static call and 2) is
not an indirect import because we have an instance of this object and a
corresponding import for it.
Problem 2)
Assume I have configured the import star white list with an entry for
+com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*.
{code}
import com.company.package.TestClass;
TestClass.SomeStaticMethod();
{code}
When this code is run through *assertExpressionAuthorized(...)* it is passed in
as a *MethodCallExpression* not a *StaticMethodCallExpression*, so even if I
fix problem 1, I cannot tell the difference between method calls and static
method calls.
was:
I have been attempting to use SecureASTCustomizer to secure Groovy scripts, but
I've noticed a few odd things happening within SecureASTCustomizer.
Problem 1)
Assume I have configured the import star white list with an entry for
'com.company.package.*' and have set indirectImportCheckEnabled to true.
The following code snippet breaks:
{code}
import com.company.package.TestClass;
TestClass test = new TestClass();
test.toString();
{code}
Because it runs through assertExpressionAuthorized and will fail in
assertStaticImportIsAllowed because com.company.package.TestClass.toString() is
not an allowed static import. This to me makes no sense, test.toString() is 1)
not a static call and 2) is not an indirect import because we have an instance
of this object and a corresponding import for it.
Problem 2)
Assume I have configured the import star white list with an entry for
'com.company.package.*' and have set indirectImportCheckEnabled to true.
{code}
import com.company.package.TestClass;
TestClass.SomeStaticMethod();
{code}
When this code is run through assertExpressionAuthorized it is passed in as a
MethodCallExpression not a StaticMethodCallExpression, so even if I fix problem
1, I cannot tell the difference between method calls and static method calls.
> Potential issue with indirectImportCheckEnabled in SecureASTCustomizer
> ----------------------------------------------------------------------
>
> Key: GROOVY-8413
> URL: https://issues.apache.org/jira/browse/GROOVY-8413
> Project: Groovy
> Issue Type: Bug
> Reporter: Tim Biggin
>
> I have been attempting to use *SecureASTCustomizer* to secure Groovy scripts,
> but I've noticed a few odd things happening within *SecureASTCustomizer*.
> Problem 1)
> Assume I have configured the *starImportsWhitelist* with an entry for
> +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*.
> The following code snippet breaks:
> {code}
> import com.company.package.TestClass;
> TestClass test = new TestClass();
> test.toString();
> {code}
> It runs through *assertExpressionAuthorized(...)* and will fail in
> *assertStaticImportIsAllowed(...)* because
> +com.company.package.TestClass.toString()+ is not an allowed static import.
> This to me makes no sense, +test.toString()+ is 1) not a static call and 2)
> is not an indirect import because we have an instance of this object and a
> corresponding import for it.
> Problem 2)
> Assume I have configured the import star white list with an entry for
> +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*.
> {code}
> import com.company.package.TestClass;
> TestClass.SomeStaticMethod();
> {code}
> When this code is run through *assertExpressionAuthorized(...)* it is passed
> in as a *MethodCallExpression* not a *StaticMethodCallExpression*, so even if
> I fix problem 1, I cannot tell the difference between method calls and static
> method calls.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
