Radoslav Ivanov created GROOVY-8135:
---------------------------------------
Summary: SecureASTCustomizer whitelist does not work
Key: GROOVY-8135
URL: https://issues.apache.org/jira/browse/GROOVY-8135
Project: Groovy
Issue Type: Bug
Affects Versions: 2.4.8
Reporter: Radoslav Ivanov
The example [1] throws a SecurityException[2]
Details
1. Source code
SecureASTCustomizer customizer = new SecureASTCustomizer();
customizer.setIndirectImportCheckEnabled(true);
List<String> starImportsWhitelist = new ArrayList<String>();
starImportsWhitelist.add("java.lang");
customizer.setStarImportsWhitelist(starImportsWhitelist);
CompilerConfiguration cc = new CompilerConfiguration();
cc.addCompilationCustomizers(customizer);
ClassLoader parent = getClass().getClassLoader();
GroovyClassLoader loader = new GroovyClassLoader(parent, cc);
loader.parseClass("Object[] array = new Object[0]; array.size()");
2. Exception
Caused by: java.lang.SecurityException: Importing [[Ljava.lang.Object;] is not
allowed
at
org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertImportIsAllowed(SecureASTCustomizer.java:608)
at
org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$800(SecureASTCustomizer.java:121)
at
org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:702)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
