SecureASTCustomizer doesn't check class methods

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.8.4, 1.8.5, 2.0-beta-2
Fix Version/s: 1.8.6, 2.0-beta-3
Component/s: GroovyScriptEngine
Labels:
None
Environment:
does not matter

Number of attachments :
0

Description

The "call" - method in SecureASTCustomzer doesn't check class methods content
Instead of

  BlockStatement bstmt = ast.getStatementBlock();
  bstmt.visit(new SecuringCodeVisitor());

should be:

 BlockStatement bstmt = ast.getStatementBlock();
        SecuringCodeVisitor visitor = new SecuringCodeVisitor();
        bstmt.visit(visitor);
        for (ClassNode clNode : ast.getClasses()) {
            for ( MethodNode methodNode : clNode.getMethods()) {
                if (methodNode.getCode() instanceof BlockStatement) {
                    BlockStatement blst = (BlockStatement) methodNode.getCode();
                    blst.visit(visitor);
                }
            }

Activity

Ascending order - Click to sort in descending order

Cedric Champeau made changes - 02/Feb/12 10:20 AM

Field	Original Value	New Value
Assignee		Cedric Champeau [ melix ]

Guillaume Laforge made changes - 06/Feb/12 4:13 AM

Description

The "call" - method in SecureASTCustomzer doesn't check class methods content
Instead of
  BlockStatement bstmt = ast.getStatementBlock();
  bstmt.visit(new SecuringCodeVisitor());

should be:

BlockStatement bstmt = ast.getStatementBlock();
        SecuringCodeVisitor visitor = new SecuringCodeVisitor();
        bstmt.visit(visitor);
        for (ClassNode clNode : ast.getClasses()) {
            for ( MethodNode methodNode : clNode.getMethods()) {
                if (methodNode.getCode() instanceof BlockStatement) {
                    BlockStatement blst = (BlockStatement) methodNode.getCode();
                    blst.visit(visitor);
                }
            }

The "call" - method in SecureASTCustomzer doesn't check class methods content
Instead of
{code}
  BlockStatement bstmt = ast.getStatementBlock();
  bstmt.visit(new SecuringCodeVisitor());
{code}
should be:
{code}
BlockStatement bstmt = ast.getStatementBlock();
        SecuringCodeVisitor visitor = new SecuringCodeVisitor();
        bstmt.visit(visitor);
        for (ClassNode clNode : ast.getClasses()) {
            for ( MethodNode methodNode : clNode.getMethods()) {
                if (methodNode.getCode() instanceof BlockStatement) {
                    BlockStatement blst = (BlockStatement) methodNode.getCode();
                    blst.visit(visitor);
                }
            }
{code}

Cedric Champeau made changes - 06/Feb/12 5:03 AM

Fix Version/s		2.0-beta-3 [ 18244 ]
Fix Version/s		1.8.6 [ 18245 ]
Affects Version/s		2.0-beta-2 [ 18072 ]
Affects Version/s		1.8.5 [ 18071 ]
Priority	Minor [ 4 ]	Critical [ 2 ]

Cedric Champeau made changes - 06/Feb/12 5:03 AM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

Paul King made changes - 12/Feb/12 4:03 AM

Status

Resolved [ 5 ]

Closed [ 6 ]

People

Assignee:

Cedric Champeau

Reporter:

Michael Raschkowski

Vote (0)

Watch (0)

Dates

Created:

02/Feb/12 10:16 AM

Updated:

12/Feb/12 4:03 AM

Resolved:

06/Feb/12 5:03 AM