groovy

SecureASTCustomizer blacklist is ignored inside method body

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.8.1
  • Fix Version/s: 1.8.2, 1.9-beta-3
  • Component/s: Compiler
  • Labels:
    None
  • Testcase included:
    yes
  • Number of attachments :
    1

Description

I'm trying to compile Groovy Scripts while rejecting calls to System.exit() by using using a SecureASTCustomizer like this:

final SecureASTCustomizer customizer = new SecureASTCustomizer();
customizer.setImportsBlacklist(asList("java.lang.System",
		"groovy.lang.GroovyShell", "groovy.lang.GroovyClassLoader"));
customizer.setIndirectImportCheckEnabled(true);

CompilerConfiguration configuration = new CompilerConfiguration();
configuration.addCompilationCustomizers(customizer);

ClassLoader parent = ScriptCompiler.class.getClassLoader();
GroovyClassLoader loader = new GroovyClassLoader(parent, configuration);

The following Script is blocked correctly and I get an exception during parseClass()

System.exit(1);

In the following script, System.exit() is called successfully:

def x() { System.exit(1) }
x()

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Carsten Mjartan added a comment -

Failing JUnit4 Test Case

Show
Carsten Mjartan added a comment - Failing JUnit4 Test Case
Hide
Permalink
Cedric Champeau added a comment -

I fixed this issue, but there are still problems regarding constructors because the AST transformation can't determine whether the constructor was handwritten or generated by the groovy compiler.

Show
Cedric Champeau added a comment - I fixed this issue, but there are still problems regarding constructors because the AST transformation can't determine whether the constructor was handwritten or generated by the groovy compiler.

People

  • Assignee:
    Cedric Champeau
    Reporter:
    Carsten Mjartan
Vote (1)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: