[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-06-04 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16036421#comment-16036421
 ] 

ASF GitHub Bot commented on GROOVY-8163:


Github user asfgit closed the pull request at:

https://github.com/apache/groovy/pull/532


> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant  codeBase "${dir.groovy}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
> permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant {
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> };
> {code}
> it has a consequence that groovy can not access even some public methods on 
> bean

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-27 Thread Dimitry Polivaev (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16027609#comment-16027609
 ] 

Dimitry Polivaev commented on GROOVY-8163:
--

Could you please check the changes I implemented after the review?

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant  codeBase "${dir.groovy}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
> permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant {
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> };
> {code}
> it has a consequence that groovy can not access even some public methods on 
> bean properties as shown in

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-17 Thread Dimitry Polivaev (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16014646#comment-16014646
 ] 

Dimitry Polivaev commented on GROOVY-8163:
--

The catch is needed to make the above test 
https://issues.apache.org/jira/browse/GROOVY-8163?focusedCommentId=16009695=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16009695
 pass.

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant  codeBase "${dir.groovy}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
> permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant {
> permission java.lang.RuntimePermission

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-17 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16014645#comment-16014645
 ] 

ASF GitHub Bot commented on GROOVY-8163:


Github user dpolivaev commented on a diff in the pull request:

https://github.com/apache/groovy/pull/532#discussion_r117087531
  
--- Diff: src/main/groovy/lang/MetaClassImpl.java ---
@@ -1832,6 +1832,9 @@ public Object getProperty(Class sender, Object 
object, String name, boolean useS
 } catch (IllegalArgumentException e) {
 // can't access the field directly but there may be a 
getter
 mp = null;
+} catch (GroovyRuntimeException e) {
+// can't access the field directly but there may be a 
getter
+mp = null;
--- End diff --

I do not have unit test to explain this catch block. I do have the 
integration test 
https://issues.apache.org/jira/browse/GROOVY-8163?focusedCommentId=16009695=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16009695.
 The problem is that for some classes C with private member called "name" class 
property C.class.name which corresponds to java calls C.class.getName() does 
not work unless this catch block is added. 


> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-17 Thread John Wagenleitner (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16014586#comment-16014586
 ] 

John Wagenleitner commented on GROOVY-8163:
---

My hunch is that a {{GroovyRuntimeException}} should probably not be caught at 
that point.  I would have assumed an {{AccessControlException}} from 
{{CachedField.getProperty}} would be treated similar to the 
{{IllegalAccessException}} in the same method (wrapped in GRE and not caught at 
that point).

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant  codeBase "${dir.groovy}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
> permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-14 Thread Dimitry Polivaev (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16009695#comment-16009695
 ] 

Dimitry Polivaev commented on GROOVY-8163:
--

Need for patching {{MetaClassImpl}} if {{GroovyRuntimeException}} is thrown 
instead of {{IllegalArgumentException}} as suggested in the review is 
demonstrated by the following test added to {{GroovySecurityTest}} : 

{code}
@Test
public void returnsLoggerClassName() throws Exception {
AccessController.doPrivileged(new PrivilegedAction() {

@Override
public Void run() {
Assert.assertEquals("java.util.logging.Logger", 
Eval.x(Logger.getGlobal(), "x.class.name"));
return null;
}
});
}

{code}

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-13 Thread John Wagenleitner (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16009515#comment-16009515
 ] 

John Wagenleitner commented on GROOVY-8163:
---

By wrapping the {{Eval}} in the {{doPrivileged}} block doesn't that effectively 
grant the script {{AllPermission}}.  If you remove the {{doPrivileged}} and use 
the following policy 

{code:title=restrictedPermissionsForScriptOnlyPolicy.txt}
grant codeBase "${dir.test}" {
permission java.security.AllPermission;
};

grant codeBase "${dir.groovy}" {
permission java.security.AllPermission;
};

grant {
permission groovy.security.GroovyCodeSourcePermission "/groovy/shell";
permission java.lang.RuntimePermission "accessDeclaredMembers";

permission java.util.PropertyPermission "*", "read";
};
{code}

it should result in 

{code}
java.security.AccessControlException: access denied 
("java.lang.RuntimePermission" "setSecurityManager")
{code}

Though this still doesn't enforce the access checks which is what the PR seems 
to address.  But I think that is because Groovy uses {{doPrivileged}} blocks 
for the access and the policy grants permission to the Groovy codebase.  The 
following change (no explicit or implied "supressAccessChecks" permission):

{code}
grant codeBase "${dir.groovy}" {
permission java.lang.RuntimePermission "*";
permission java.security.SecurityPermission "*";
permission java.io.FilePermission "<>", "read";
permission java.util.PropertyPermission "*", "read";
permission groovy.security.GroovyCodeSourcePermission "*";
};
{code}

results in 

{code}
java.lang.IllegalAccessException: Class 
org.codehaus.groovy.reflection.CachedMethod can not access a member of class 
java.lang.Class with modifiers "private native"
{code}

The second example with {{GroovyBeanTest}} works in 2.4.11 and 2_5_X, believe 
the problem was related to a bug that was fixed that affected version 2.4.8-10. 
 It will also pass in 2.4.11 if the {{doPrivileged}} is removed and the 
following grant for the scripts is changed to:

{code}
grant {
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission groovy.security.GroovyCodeSourcePermission "/groovy/shell";

permission java.util.PropertyPermission "*", "read";
};
{code}

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
>

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-13 Thread Jochen Theodorou (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16009412#comment-16009412
 ] 

Jochen Theodorou commented on GROOVY-8163:
--

+1

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant  codeBase "${dir.groovy}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
> permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant {
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> };
> {code}
> it has a consequence that groovy can not access even some public methods on 
> bean properties as shown in the following test
> {code}
> package groovytest;
> import

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-13 Thread Dimitry Polivaev (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16009353#comment-16009353
 ] 

Dimitry Polivaev commented on GROOVY-8163:
--

[~blackdrag] I would appreciate any feedback about the patch I submitted.

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant  codeBase "${dir.groovy}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
> permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant {
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> };
> {code}
> it has a consequence that groovy can not access even some public methods on 
> bean properties as

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-01 Thread Dimitry Polivaev (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15991521#comment-15991521
 ] 

Dimitry Polivaev commented on GROOVY-8163:
--

Protected class loader methods can be accessed by scripts only if scripts have 
permission to create class loaders. Obviously they shouldn't get it.

I have improved my proposal by better handling of package private methods: I 
allow access to such methods for all classes with names not starting with 
"java." because adding classes to packages is generally allowed and therefore 
there is no additional security risk.

I have not considered "invokedynamic enabled" case as I do not know which 
additional risks result from it. 
How can I as a groovy user control if invokedynamic is enabled?


> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-01 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15991518#comment-15991518
 ] 

ASF GitHub Bot commented on GROOVY-8163:


GitHub user dpolivaev opened a pull request:

https://github.com/apache/groovy/pull/532

Prevent CachedField and CachedMethod from leaking access permissions …

…to scripts

https://issues.apache.org/jira/browse/GROOVY-8163

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/dpolivaev/groovy master

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/groovy/pull/532.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #532


commit 20741fe4f61940a2e5ab56c67d0710a17ac5583f
Author: Dimitry Polivaev 
Date:   2017-05-01T20:58:12Z

Prevent CachedField and CachedMethod from leaking access permissions to 
scripts

https://issues.apache.org/jira/browse/GROOVY-8163




> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-01 Thread Jochen Theodorou (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15990743#comment-15990743
 ] 

Jochen Theodorou commented on GROOVY-8163:
--

I think the idea of the patch is good and we should think about integrating it. 
Since it won´t do anything without a security manager being set it should be 
not causing trouble for example for testing code. But I also think the patch 
will not solve all the attack vectors. For example if a subclass of ClassLoader 
overwrites defineClass, your patch will not catch that. Your code will also 
catch a lot less if invokedynamic is enabled.

But anyway, I still think this would be a good start..

btw Dimitry, it would be even better if you provided this as pull request on 
github

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod which would allow any script to access protected method 
> java.lang.ClassLoader#defineClass(java.lang.String, byte[], int, int, 
> java.security.ProtectionDomain) that can be misused to manipulate code 
> sources of classes loaded from script to give them all permissions.
> It also appears that if I remove permissions from groovy.jar using more 
> restrictive policy using following policy file restrictedPermissionsPolicy.txt
> {code}
> grant  codeBase "${dir.test}" {
> permission java.lang.RuntimePermission "*";
> permission java.security.SecurityPermission "*";
>  permission java.io.FilePermission "<>", "read";
> permission java.util.PropertyPermission "*", "read";
> permission groovy.security.GroovyCodeSourcePermission "*";
> };
> grant

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-05-01 Thread Dimitry Polivaev (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15990693#comment-15990693
 ] 

Dimitry Polivaev commented on GROOVY-8163:
--

[~glaforge] Hello Guillaume,

because I have got no response, I want to describe why I consider this issue to 
be urgent. 

I develop mind map editor Freeplane ( https://en.wikipedia.org/wiki/Freeplane ) 
which  allows to use of scripts embedded into mind maps.
The scripts are used as formulas. They are evaluated automatically when the map 
is opened.
 
Because the formulas need to use bounded variables which require use of 
CachedField and CachedMethod , because of the reported issue malicious maps 
could disable java security manager and do whatever they wanted. As I showed in 
the report if I disallow use of ReflectPermission("suppressAccessChecks") by 
groovy itself, groovy can not properly find some public class methods. And if I 
allow Groovy to use this permission there is no way to put the scripts in a 
sandbox safely.

Although I do not think that patching other people software is generally a good 
solution I had to patch groovy so solve this issue. 
Groovy is general use scripting language I think that also any software 
allowing users to embed groovy scripts must have the same problem.

Could you or somebody else from the Groovy developers respond to this issue?
If you have any questions or tips or can suggest me another approach to solve 
this issue please let me know.

Kind regards,
Dimitry Polivaev
Freeplane project lead

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>
> Consider following test
> {code}
> package groovytest;
> import groovy.util.Eval;
> import org.junit.*;
> import java.net.URL;
> import java.security.AccessController;
> import java.security.PrivilegedAction;
> public class GroovySecurityTest {
>   public static final String 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY = 
> "/restrictedPermissionsForScriptOnlyPolicy.txt";
>   public static final String POLICY = 
> RESTRICTED_PERMISSIONS_FOR_SCRIPT_ONLY_POLICY;
>   @BeforeClass
>   public static void setPolicy() throws Exception {
>   final String dirTest = 
> GroovySecurityTest.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   final String dirGroovy = 
> Eval.class.getProtectionDomain().getCodeSource().getLocation().toString();
>   System.setProperty("dir.test",dirTest + "-");
>   System.setProperty("dir.groovy",dirGroovy);
>   final URL policy = GroovySecurityTest.class.getResource(POLICY);
>   System.setProperty("java.security.policy", policy.toString());
>   }
>   
>   
>   @Before
>   public void setSecurityManager() throws Exception {
>   System.setSecurityManager(new SecurityManager());
>   }
>   @After
>   public void removeSecurityManager() throws Exception {
>   AccessController.doPrivileged(new PrivilegedAction() {
>   @Override
>   public Void run() {
>   System.setSecurityManager(null);
>   return null;
>   }
>   });
>   }
>   @Test
>   public void doesNotChangeScriptPermissionsUsungPrivateFieldAccess() 
> throws Exception {
>   try {
>   AccessController.doPrivileged(new 
> PrivilegedAction() {
> @Override
> public Void run() {
> Eval.me("getClass().protectionDomain0.hasAllPerm = true;"
> + "System.setSecurityManager(null);"
> + "1");
> return null;
> }
> });
>   } catch (Exception e) {
>   }
>   Assert.assertNotNull(System.getSecurityManager());
>   }
> }
> {code}
> with following policy file restrictedPermissionsForScriptOnlyPolicy.txt
> {code}
> grant codeBase "${dir.test}" {
>   permission java.security.AllPermission;
> };
> grant codeBase "${dir.groovy}" {
>   permission java.security.AllPermission;
> };
> grant {
> };
> {code}
> It fails: security manager is not set any more when the test assertion is 
> checked.
> It happens because CachedField from org.codehaus.groovy.reflection is created 
> withing trusted code base (groovy jar) and gives access to the field to 
> untrusted scripts without any security checks. The same problem relates to 
> CachedMethod

[jira] [Commented] (GROOVY-8163) Groovy scripts can disable java security manager and escape sandbox

2017-04-23 Thread Guillaume Laforge (JIRA) 

[ 
https://issues.apache.org/jira/browse/GROOVY-8163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15980352#comment-15980352
 ] 

Guillaume Laforge commented on GROOVY-8163:
---

Can you give a bit more details? Steps to reproduce?

> Groovy scripts can disable java security manager and escape sandbox
> ---
>
> Key: GROOVY-8163
> URL: https://issues.apache.org/jira/browse/GROOVY-8163
> Project: Groovy
>  Issue Type: Bug
>Affects Versions: 2.5.0-alpha-1, 2.4.9, 2.4.10
>Reporter: Dimitry Polivaev
>




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)