Tim Biggin created GROOVY-8413: ---------------------------------- Summary: Potential issue with indirectImportCheckEnabled in SecureASTCustomizer Key: GROOVY-8413 URL: https://issues.apache.org/jira/browse/GROOVY-8413 Project: Groovy Issue Type: Bug Reporter: Tim Biggin
I have been attempting to use SecureASTCustomizer to secure Groovy scripts, but I've noticed a few odd things happening within SecureASTCustomizer. Problem 1) Assume I have configured the import star white list with an entry for 'com.company.package.*' and have set indirectImportCheckEnabled to true. The following code snippet breaks: {code} import com.company.package.TestClass; TestClass test = new TestClass(); test.toString(); {code} Because it runs through assertExpressionAuthorized and will fail in assertStaticImportIsAllowed because com.company.package.TestClass.toString() is not an allowed static import. This to me makes no sense, test.toString() is 1) not a static call and 2) is not an indirect import because we have an instance of this object and a corresponding import for it. Problem 2) Assume I have configured the import star white list with an entry for 'com.company.package.*' and have set indirectImportCheckEnabled to true. {code} import com.company.package.TestClass; TestClass.SomeStaticMethod(); {code} When this code is run through assertExpressionAuthorized it is passed in as a MethodCallExpression not a StaticMethodCallExpression, so even if I fix problem 1, I cannot tell the difference between method calls and static method calls. -- This message was sent by Atlassian JIRA (v6.4.14#64029)