Tim Biggin created GROOVY-8413:
----------------------------------
Summary: Potential issue with indirectImportCheckEnabled in
SecureASTCustomizer
Key: GROOVY-8413
URL: https://issues.apache.org/jira/browse/GROOVY-8413
Project: Groovy
Issue Type: Bug
Reporter: Tim Biggin
I have been attempting to use SecureASTCustomizer to secure Groovy scripts, but
I've noticed a few odd things happening within SecureASTCustomizer.
Problem 1)
Assume I have configured the import star white list with an entry for
'com.company.package.*' and have set indirectImportCheckEnabled to true.
The following code snippet breaks:
{code}
import com.company.package.TestClass;
TestClass test = new TestClass();
test.toString();
{code}
Because it runs through assertExpressionAuthorized and will fail in
assertStaticImportIsAllowed because com.company.package.TestClass.toString() is
not an allowed static import. This to me makes no sense, test.toString() is 1)
not a static call and 2) is not an indirect import because we have an instance
of this object and a corresponding import for it.
Problem 2)
Assume I have configured the import star white list with an entry for
'com.company.package.*' and have set indirectImportCheckEnabled to true.
{code}
import com.company.package.TestClass;
TestClass.SomeStaticMethod();
{code}
When this code is run through assertExpressionAuthorized it is passed in as a
MethodCallExpression not a StaticMethodCallExpression, so even if I fix problem
1, I cannot tell the difference between method calls and static method calls.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
