[
https://issues.apache.org/jira/browse/GROOVY-8135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King closed GROOVY-8135.
-----------------------------
> SecureASTCustomizer whitelist does not work
> -------------------------------------------
>
> Key: GROOVY-8135
> URL: https://issues.apache.org/jira/browse/GROOVY-8135
> Project: Groovy
> Issue Type: Bug
> Affects Versions: 2.4.8
> Reporter: Radoslav Ivanov
> Assignee: John Wagenleitner
> Priority: Critical
> Fix For: 2.4.12
>
>
> The example [1] throws a SecurityException[2]
> Details
> 1. Source code
> SecureASTCustomizer customizer = new SecureASTCustomizer();
> customizer.setIndirectImportCheckEnabled(true);
>
> List<String> starImportsWhitelist = new ArrayList<String>();
> starImportsWhitelist.add("java.lang");
> customizer.setStarImportsWhitelist(starImportsWhitelist);
>
> CompilerConfiguration cc = new CompilerConfiguration();
> cc.addCompilationCustomizers(customizer);
>
> ClassLoader parent = getClass().getClassLoader();
> GroovyClassLoader loader = new GroovyClassLoader(parent, cc);
>
> loader.parseClass("Object[] array = new Object[0]; array.size()");
> 2. Exception
> Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is
> not allowed
> at
> org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608)
> at
> org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121)
> at
> org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
