Radoslav Ivanov created GROOVY-8135: ---------------------------------------
Summary: SecureASTCustomizer whitelist does not work Key: GROOVY-8135 URL: https://issues.apache.org/jira/browse/GROOVY-8135 Project: Groovy Issue Type: Bug Affects Versions: 2.4.8 Reporter: Radoslav Ivanov The example [1] throws a SecurityException[2] Details 1. Source code SecureASTCustomizer customizer = new SecureASTCustomizer(); customizer.setIndirectImportCheckEnabled(true); List<String> starImportsWhitelist = new ArrayList<String>(); starImportsWhitelist.add("java.lang"); customizer.setStarImportsWhitelist(starImportsWhitelist); CompilerConfiguration cc = new CompilerConfiguration(); cc.addCompilationCustomizers(customizer); ClassLoader parent = getClass().getClassLoader(); GroovyClassLoader loader = new GroovyClassLoader(parent, cc); loader.parseClass("Object[] array = new Object[0]; array.size()"); 2. Exception Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is not allowed at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702) -- This message was sent by Atlassian JIRA (v6.3.15#6346)