groovy
  1. groovy
  2. GROOVY-4978

SecureASTCustomizer blacklist is ignored inside method body

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.1
    • Fix Version/s: 1.8.2, 1.9-beta-3
    • Component/s: Compiler
    • Labels:
      None
    • Testcase included:
      yes
    • Number of attachments :
      1

      Description

      I'm trying to compile Groovy Scripts while rejecting calls to System.exit() by using using a SecureASTCustomizer like this:

      final SecureASTCustomizer customizer = new SecureASTCustomizer();
      customizer.setImportsBlacklist(asList("java.lang.System",
      		"groovy.lang.GroovyShell", "groovy.lang.GroovyClassLoader"));
      customizer.setIndirectImportCheckEnabled(true);
      
      CompilerConfiguration configuration = new CompilerConfiguration();
      configuration.addCompilationCustomizers(customizer);
      
      ClassLoader parent = ScriptCompiler.class.getClassLoader();
      GroovyClassLoader loader = new GroovyClassLoader(parent, configuration);
      

      The following Script is blocked correctly and I get an exception during parseClass()

      System.exit(1);
      

      In the following script, System.exit() is called successfully:

      def x() { System.exit(1) }
      x()
      

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            CÚdric Champeau
            Reporter:
            Carsten Mjartan
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: