[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16036421#comment-16036421 ] ASF GitHub Bot commented on GROOVY-8163: Github user asfgit closed the pull request at: https://github.com/apache/groovy/pull/532 > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant { > permission java.lang.RuntimePermission "accessDeclaredMembers"; > }; > {code} > it has a consequence that groovy can not access even some public met
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16027609#comment-16027609 ] Dimitry Polivaev commented on GROOVY-8163: -- Could you please check the changes I implemented after the review? > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant { > permission java.lang.RuntimePermission "accessDeclaredMembers"; > }; > {code} > it has a consequence that groovy can not access even some public methods on > bean properti
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16014646#comment-16014646 ] Dimitry Polivaev commented on GROOVY-8163: -- The catch is needed to make the above test https://issues.apache.org/jira/browse/GROOVY-8163?focusedCommentId=16009695&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16009695 pass. > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant { > permission java.lang.Runt
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16014645#comment-16014645 ] ASF GitHub Bot commented on GROOVY-8163: Github user dpolivaev commented on a diff in the pull request: https://github.com/apache/groovy/pull/532#discussion_r117087531 --- Diff: src/main/groovy/lang/MetaClassImpl.java --- @@ -1832,6 +1832,9 @@ public Object getProperty(Class sender, Object object, String name, boolean useS } catch (IllegalArgumentException e) { // can't access the field directly but there may be a getter mp = null; +} catch (GroovyRuntimeException e) { +// can't access the field directly but there may be a getter +mp = null; --- End diff -- I do not have unit test to explain this catch block. I do have the integration test https://issues.apache.org/jira/browse/GROOVY-8163?focusedCommentId=16009695&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16009695. The problem is that for some classes C with private member called "name" class property C.class.name which corresponds to java calls C.class.getName() does not work unless this catch block is added. > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of clas
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16014586#comment-16014586 ] John Wagenleitner commented on GROOVY-8163: --- My hunch is that a {{GroovyRuntimeException}} should probably not be caught at that point. I would have assumed an {{AccessControlException}} from {{CachedField.getProperty}} would be treated similar to the {{IllegalAccessException}} in the same method (wrapped in GRE and not caught at that point). > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission g
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009695#comment-16009695 ] Dimitry Polivaev commented on GROOVY-8163: -- Need for patching {{MetaClassImpl}} if {{GroovyRuntimeException}} is thrown instead of {{IllegalArgumentException}} as suggested in the review is demonstrated by the following test added to {{GroovySecurityTest}} : {code} @Test public void returnsLoggerClassName() throws Exception { AccessController.doPrivileged(new PrivilegedAction() { @Override public Void run() { Assert.assertEquals("java.util.logging.Logger", Eval.x(Logger.getGlobal(), "x.class.name")); return null; } }); } {code} > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission ja
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009694#comment-16009694 ] Dimitry Polivaev commented on GROOVY-8163: -- {{doPrivileged}} blocks in the test are needed to ignore checks for JUnit Runner which belong to different protection domains and depend on how the test execution is started (by gradle or by IDE) . After I updated my test project to Version 2.4.11 the {{GroovyBeanTest}} still fails with MissingPropertyException. > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; >
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009515#comment-16009515 ] John Wagenleitner commented on GROOVY-8163: --- By wrapping the {{Eval}} in the {{doPrivileged}} block doesn't that effectively grant the script {{AllPermission}}. If you remove the {{doPrivileged}} and use the following policy {code:title=restrictedPermissionsForScriptOnlyPolicy.txt} grant codeBase "${dir.test}" { permission java.security.AllPermission; }; grant codeBase "${dir.groovy}" { permission java.security.AllPermission; }; grant { permission groovy.security.GroovyCodeSourcePermission "/groovy/shell"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "*", "read"; }; {code} it should result in {code} java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setSecurityManager") {code} Though this still doesn't enforce the access checks which is what the PR seems to address. But I think that is because Groovy uses {{doPrivileged}} blocks for the access and the policy grants permission to the Groovy codebase. The following change (no explicit or implied "supressAccessChecks" permission): {code} grant codeBase "${dir.groovy}" { permission java.lang.RuntimePermission "*"; permission java.security.SecurityPermission "*"; permission java.io.FilePermission "<>", "read"; permission java.util.PropertyPermission "*", "read"; permission groovy.security.GroovyCodeSourcePermission "*"; }; {code} results in {code} java.lang.IllegalAccessException: Class org.codehaus.groovy.reflection.CachedMethod can not access a member of class java.lang.Class with modifiers "private native" {code} The second example with {{GroovyBeanTest}} works in 2.4.11 and 2_5_X, believe the problem was related to a bug that was fixed that affected version 2.4.8-10. It will also pass in 2.4.11 if the {{doPrivileged}} is removed and the following grant for the scripts is changed to: {code} grant { permission java.lang.RuntimePermission "accessDeclaredMembers"; permission groovy.security.GroovyCodeSourcePermission "/groovy/shell"; permission java.util.PropertyPermission "*", "read"; }; {code} > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; >
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009412#comment-16009412 ] Jochen Theodorou commented on GROOVY-8163: -- +1 > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant { > permission java.lang.RuntimePermission "accessDeclaredMembers"; > }; > {code} > it has a consequence that groovy can not access even some public methods on > bean properties as shown in the following test > {code} > package groovytest;
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009353#comment-16009353 ] Dimitry Polivaev commented on GROOVY-8163: -- [~blackdrag] I would appreciate any feedback about the patch I submitted. > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant { > permission java.lang.RuntimePermission "accessDeclaredMembers"; > }; > {code} > it has a consequence that groovy can not access even some public methods on > bean p
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991521#comment-15991521 ] Dimitry Polivaev commented on GROOVY-8163: -- Protected class loader methods can be accessed by scripts only if scripts have permission to create class loaders. Obviously they shouldn't get it. I have improved my proposal by better handling of package private methods: I allow access to such methods for all classes with names not starting with "java." because adding classes to packages is generally allowed and therefore there is no additional security risk. I have not considered "invokedynamic enabled" case as I do not know which additional risks result from it. How can I as a groovy user control if invokedynamic is enabled? > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermi
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991518#comment-15991518 ] ASF GitHub Bot commented on GROOVY-8163: GitHub user dpolivaev opened a pull request: https://github.com/apache/groovy/pull/532 Prevent CachedField and CachedMethod from leaking access permissions … …to scripts https://issues.apache.org/jira/browse/GROOVY-8163 You can merge this pull request into a Git repository by running: $ git pull https://github.com/dpolivaev/groovy master Alternatively you can review and apply these changes as the patch at: https://github.com/apache/groovy/pull/532.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #532 commit 20741fe4f61940a2e5ab56c67d0710a17ac5583f Author: Dimitry Polivaev Date: 2017-05-01T20:58:12Z Prevent CachedField and CachedMethod from leaking access permissions to scripts https://issues.apache.org/jira/browse/GROOVY-8163 > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} >
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15990743#comment-15990743 ] Jochen Theodorou commented on GROOVY-8163: -- I think the idea of the patch is good and we should think about integrating it. Since it won´t do anything without a security manager being set it should be not causing trouble for example for testing code. But I also think the patch will not solve all the attack vectors. For example if a subclass of ClassLoader overwrites defineClass, your patch will not catch that. Your code will also catch a lot less if invokedynamic is enabled. But anyway, I still think this would be a good start.. btw Dimitry, it would be even better if you provided this as pull request on github > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; >
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15990693#comment-15990693 ] Dimitry Polivaev commented on GROOVY-8163: -- [~glaforge] Hello Guillaume, because I have got no response, I want to describe why I consider this issue to be urgent. I develop mind map editor Freeplane ( https://en.wikipedia.org/wiki/Freeplane ) which allows to use of scripts embedded into mind maps. The scripts are used as formulas. They are evaluated automatically when the map is opened. Because the formulas need to use bounded variables which require use of CachedField and CachedMethod , because of the reported issue malicious maps could disable java security manager and do whatever they wanted. As I showed in the report if I disallow use of ReflectPermission("suppressAccessChecks") by groovy itself, groovy can not properly find some public class methods. And if I allow Groovy to use this permission there is no way to put the scripts in a sandbox safely. Although I do not think that patching other people software is generally a good solution I had to patch groovy so solve this issue. Groovy is general use scripting language I think that also any software allowing users to embed groovy scripts must have the same problem. Could you or somebody else from the Groovy developers respond to this issue? If you have any questions or tips or can suggest me another approach to solve this issue please let me know. Kind regards, Dimitry Polivaev Freeplane project lead > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15980358#comment-15980358 ] Guillaume Laforge commented on GROOVY-8163: --- Thanks > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant { > permission java.lang.RuntimePermission "accessDeclaredMembers"; > }; > {code} > it has a consequence that groovy can not access even some public methods on > bean properties as shown in the following test > {code} > package groov
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15980354#comment-15980354 ] Dimitry Polivaev commented on GROOVY-8163: -- I have added full description now. > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > > Consider following test > {code} > package groovytest; > import groovy.util.Eval; > import org.junit.*; > import java.net.URL; > import java.security.AccessController; > import java.security.PrivilegedAction; > public class GroovySecurityTest { > public static final String > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = > "/restrictedPermissionsForScriptOnlyPolicy.txt"; > public static final String POLICY = > RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY; > @BeforeClass > public static void setPolicy() throws Exception { > final String dirTest = > GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString(); > final String dirGroovy = > Eval.class.getProtectionDomain().getCodeSource().getLocation().toString(); > System.setProperty("dir.test",dirTest + "-"); > System.setProperty("dir.groovy",dirGroovy); > final URL policy = GroovySecurityTest.class.getResource(POLICY); > System.setProperty("java.security.policy", policy.toString()); > } > > > @Before > public void setSecurityManager() throws Exception { > System.setSecurityManager(new SecurityManager()); > } > @After > public void removeSecurityManager() throws Exception { > AccessController.doPrivileged(new PrivilegedAction() { > @Override > public Void run() { > System.setSecurityManager(null); > return null; > } > }); > } > @Test > public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() > throws Exception { > try { > AccessController.doPrivileged(new > PrivilegedAction() { > @Override > public Void run() { > Eval.me("getClass().protectionDomain0.hasAllPerm = true;" > + "System.setSecurityManager(null);" > + "1"); > return null; > } > }); > } catch (Exception e) { > } > Assert.assertNotNull(System.getSecurityManager()); > } > } > {code} > with following policy file restrictedPermissionsForScriptOnlyPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.security.AllPermission; > }; > grant codeBase "${dir.groovy}" { > permission java.security.AllPermission; > }; > grant { > }; > {code} > It fails: security manager is not set any more when the test assertion is > checked. > It happens because CachedField from org.codehaus.groovy.reflection is created > withing trusted code base (groovy jar) and gives access to the field to > untrusted scripts without any security checks. The same problem relates to > CachedMethod which would allow any script to access protected method > java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, > java.security.ProtectionDomain) that can be misused to manipulate code > sources of classes loaded from script to give them all permissions. > It also appears that if I remove permissions from groovy.jar using more > restrictive policy using following policy file restrictedPermissionsPolicy.txt > {code} > grant codeBase "${dir.test}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant codeBase "${dir.groovy}" { > permission java.lang.RuntimePermission "*"; > permission java.security.SecurityPermission "*"; > permission java.io.FilePermission "<>", "read"; > permission java.util.PropertyPermission "*", "read"; > permission groovy.security.GroovyCodeSourcePermission "*"; > }; > grant { > permission java.lang.RuntimePermission "accessDeclaredMembers"; > }; > {code} > it has a consequence that groovy can not access even some public methods on > bean properties as shown in the following tes
[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox
[ https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15980352#comment-15980352 ] Guillaume Laforge commented on GROOVY-8163: --- Can you give a bit more details? Steps to reproduce? > Groovy scripts can disable java security manager and escape sandbox > --- > > Key: GROOVY-8163 > URL: https://issues.apache.org/jira/browse/GROOVY-8163 > Project: Groovy > Issue Type: Bug >Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10 >Reporter: Dimitry Polivaev > -- This message was sent by Atlassian JIRA (v6.3.15#6346)