[jira] [Updated] (GROOVY-10184) NPE in SecureASTCustomizer with indirectImportCheckEnabled

Sun, 30 Jan 2022 10:59:06 -0800 


     [ 
https://issues.apache.org/jira/browse/GROOVY-10184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Eric Milles updated GROOVY-10184:
---------------------------------
    Fix Version/s: 3.0.10

> NPE in SecureASTCustomizer with indirectImportCheckEnabled
> ----------------------------------------------------------
>
>                 Key: GROOVY-10184
>                 URL: https://issues.apache.org/jira/browse/GROOVY-10184
>             Project: Groovy
>          Issue Type: Bug
>    Affects Versions: 2.5.13
>            Reporter: Dariusz Kowzan
>            Assignee: Eric Milles
>            Priority: Major
>             Fix For: 4.0.0-beta-2, 3.0.10
>
>
> NPE is thrown by SecureASTCustomizer in this scenario:
> {code:java}
> SecureASTCustomizer customizer = new SecureASTCustomizer();
> List<String> list = new ArrayList<>();
> list.add("java.lang.*");
> customizer.setAllowedStarImports(list);
> customizer.setIndirectImportCheckEnabled(true);
> CompilerConfiguration conf = new CompilerConfiguration();
> conf.addCompilationCustomizers(customizer);
> GroovyShell shell = new GroovyShell(conf);
> shell.evaluate("def obj = new Object(); def method = \"hashcode\"; 
> obj.\"${method}\"()");
> {code}
> This happens only with setIndirectImportCheckEnabled(true)
> and object methods being invoked by obj."${method}"();
> The stacktrace is:
> {code:java}
> Caused by: java.lang.NullPointerExceptionCaused by: 
> java.lang.NullPointerException at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertStaticImportIsAllowed(SecureASTCustomizer.java:967)
>  at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$900(SecureASTCustomizer.java:184)
>  at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:1043)
>  at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitMethodCallExpression(SecureASTCustomizer.java:1197)
>  at 
> org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:68)
>  at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitExpressionStatement(SecureASTCustomizer.java:1123)
>  at 
> org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40)
>  at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitBlockStatement(SecureASTCustomizer.java:1083)
>  at org.codehaus.groovy.ast.stmt.BlockStatement.visit(BlockStatement.java:69) 
> at 
> org.codehaus.groovy.control.customizers.SecureASTCustomizer.call(SecureASTCustomizer.java:893)
>  at 
> org.codehaus.groovy.control.CompilationUnit.applyToPrimaryClassNodes(CompilationUnit.java:1084)
>  ... 88 more
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to