[ https://issues.apache.org/jira/browse/GROOVY-8413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Biggin updated GROOVY-8413: ------------------------------- Description: I have been attempting to use *SecureASTCustomizer* to secure Groovy scripts, but I've noticed a few odd things happening within *SecureASTCustomizer*. Problem 1) Assume I have configured the *starImportsWhitelist* with an entry for +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*. The following code snippet breaks: {code} import com.company.package.TestClass; TestClass test = new TestClass(); test.toString(); {code} It runs through *assertExpressionAuthorized(...)* and will fail in *assertStaticImportIsAllowed(...)* because +com.company.package.TestClass.toString()+ is not an allowed static import. This to me makes no sense, +test.toString()+ is 1) not a static call and 2) is not an indirect import because we have an instance of this object and a corresponding import for it. Problem 2) Assume I have configured the import star white list with an entry for +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*. {code} import com.company.package.TestClass; TestClass.SomeStaticMethod(); {code} When this code is run through *assertExpressionAuthorized(...)* it is passed in as a *MethodCallExpression* not a *StaticMethodCallExpression*, so even if I fix problem 1, I cannot tell the difference between method calls and static method calls. was: I have been attempting to use SecureASTCustomizer to secure Groovy scripts, but I've noticed a few odd things happening within SecureASTCustomizer. Problem 1) Assume I have configured the import star white list with an entry for 'com.company.package.*' and have set indirectImportCheckEnabled to true. The following code snippet breaks: {code} import com.company.package.TestClass; TestClass test = new TestClass(); test.toString(); {code} Because it runs through assertExpressionAuthorized and will fail in assertStaticImportIsAllowed because com.company.package.TestClass.toString() is not an allowed static import. This to me makes no sense, test.toString() is 1) not a static call and 2) is not an indirect import because we have an instance of this object and a corresponding import for it. Problem 2) Assume I have configured the import star white list with an entry for 'com.company.package.*' and have set indirectImportCheckEnabled to true. {code} import com.company.package.TestClass; TestClass.SomeStaticMethod(); {code} When this code is run through assertExpressionAuthorized it is passed in as a MethodCallExpression not a StaticMethodCallExpression, so even if I fix problem 1, I cannot tell the difference between method calls and static method calls. > Potential issue with indirectImportCheckEnabled in SecureASTCustomizer > ---------------------------------------------------------------------- > > Key: GROOVY-8413 > URL: https://issues.apache.org/jira/browse/GROOVY-8413 > Project: Groovy > Issue Type: Bug > Reporter: Tim Biggin > > I have been attempting to use *SecureASTCustomizer* to secure Groovy scripts, > but I've noticed a few odd things happening within *SecureASTCustomizer*. > Problem 1) > Assume I have configured the *starImportsWhitelist* with an entry for > +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*. > The following code snippet breaks: > {code} > import com.company.package.TestClass; > TestClass test = new TestClass(); > test.toString(); > {code} > It runs through *assertExpressionAuthorized(...)* and will fail in > *assertStaticImportIsAllowed(...)* because > +com.company.package.TestClass.toString()+ is not an allowed static import. > This to me makes no sense, +test.toString()+ is 1) not a static call and 2) > is not an indirect import because we have an instance of this object and a > corresponding import for it. > Problem 2) > Assume I have configured the import star white list with an entry for > +com.company.package.\*+ and have set *indirectImportCheckEnabled* to *true*. > {code} > import com.company.package.TestClass; > TestClass.SomeStaticMethod(); > {code} > When this code is run through *assertExpressionAuthorized(...)* it is passed > in as a *MethodCallExpression* not a *StaticMethodCallExpression*, so even if > I fix problem 1, I cannot tell the difference between method calls and static > method calls. -- This message was sent by Atlassian JIRA (v6.4.14#64029)