SecureASTCustomizer blacklist is ignored inside method body

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.8.1
Fix Version/s: 1.8.2, 1.9-beta-3
Component/s: Compiler
Labels:
None

Testcase included:
yes
Number of attachments :
1

Description

I'm trying to compile Groovy Scripts while rejecting calls to System.exit() by using using a SecureASTCustomizer like this:

final SecureASTCustomizer customizer = new SecureASTCustomizer();
customizer.setImportsBlacklist(asList("java.lang.System",
		"groovy.lang.GroovyShell", "groovy.lang.GroovyClassLoader"));
customizer.setIndirectImportCheckEnabled(true);

CompilerConfiguration configuration = new CompilerConfiguration();
configuration.addCompilationCustomizers(customizer);

ClassLoader parent = ScriptCompiler.class.getClassLoader();
GroovyClassLoader loader = new GroovyClassLoader(parent, configuration);

The following Script is blocked correctly and I get an exception during parseClass()

System.exit(1);

In the following script, System.exit() is called successfully:

def x() { System.exit(1) }
x()

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

SecureScriptTest.java

16/Aug/11 10:29 AM

1 kB

Carsten Mjartan

Activity

No work has yet been logged on this issue.

People

Assignee:

Cedric Champeau

Reporter:

Carsten Mjartan

Vote (1)

Watch (1)

Dates

Created:

16/Aug/11 10:27 AM

Updated:

07/Sep/11 2:13 PM

Resolved:

31/Aug/11 3:32 AM