[ https://issues.apache.org/jira/browse/GROOVY-8135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999686#comment-15999686 ]
ASF GitHub Bot commented on GROOVY-8135: ---------------------------------------- Github user asfgit closed the pull request at: https://github.com/apache/groovy/pull/538 > SecureASTCustomizer whitelist does not work > ------------------------------------------- > > Key: GROOVY-8135 > URL: https://issues.apache.org/jira/browse/GROOVY-8135 > Project: Groovy > Issue Type: Bug > Affects Versions: 2.4.8 > Reporter: Radoslav Ivanov > Priority: Critical > > The example [1] throws a SecurityException[2] > Details > 1. Source code > SecureASTCustomizer customizer = new SecureASTCustomizer(); > customizer.setIndirectImportCheckEnabled(true); > > List<String> starImportsWhitelist = new ArrayList<String>(); > starImportsWhitelist.add("java.lang"); > customizer.setStarImportsWhitelist(starImportsWhitelist); > > CompilerConfiguration cc = new CompilerConfiguration(); > cc.addCompilationCustomizers(customizer); > > ClassLoader parent = getClass().getClassLoader(); > GroovyClassLoader loader = new GroovyClassLoader(parent, cc); > > loader.parseClass("Object[] array = new Object[0]; array.size()"); > 2. Exception > Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is > not allowed > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608) > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121) > at > org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702) -- This message was sent by Atlassian JIRA (v6.3.15#6346)