[ https://issues.apache.org/jira/browse/GROOVY-10184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Milles reassigned GROOVY-10184: ------------------------------------ Assignee: Eric Milles > NPE in SecureASTCustomizer with indirectImportCheckEnabled > ---------------------------------------------------------- > > Key: GROOVY-10184 > URL: https://issues.apache.org/jira/browse/GROOVY-10184 > Project: Groovy > Issue Type: Bug > Affects Versions: 2.5.13 > Reporter: Dariusz Kowzan > Assignee: Eric Milles > Priority: Major > > NPE is thrown by SecureASTCustomizer in this scenario: > {code:java} > SecureASTCustomizer customizer = new SecureASTCustomizer(); > List<String> list = new ArrayList<>(); > list.add("java.lang.*"); > customizer.setAllowedStarImports(list); > customizer.setIndirectImportCheckEnabled(true); > CompilerConfiguration conf = new CompilerConfiguration(); > conf.addCompilationCustomizers(customizer); > GroovyShell shell = new GroovyShell(conf); > shell.evaluate("def obj = new Object(); def method = \"hashcode\"; > obj.\"${method}\"()"); > {code} > This happens only with setIndirectImportCheckEnabled(true) > and object methods being invoked by obj."${method}"(); > The stacktrace is: > {code:java} > Caused by: java.lang.NullPointerExceptionCaused by: > java.lang.NullPointerException at > org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertStaticImportIsAllowed(SecureASTCustomizer.java:967) > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$900(SecureASTCustomizer.java:184) > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:1043) > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitMethodCallExpression(SecureASTCustomizer.java:1197) > at > org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:68) > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitExpressionStatement(SecureASTCustomizer.java:1123) > at > org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40) > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitBlockStatement(SecureASTCustomizer.java:1083) > at org.codehaus.groovy.ast.stmt.BlockStatement.visit(BlockStatement.java:69) > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer.call(SecureASTCustomizer.java:893) > at > org.codehaus.groovy.control.CompilationUnit.applyToPrimaryClassNodes(CompilationUnit.java:1084) > ... 88 more > {code} > > -- This message was sent by Atlassian Jira (v8.3.4#803005)