SecureASTCustomizer doesn't check class methods

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.8.4, 1.8.5, 2.0-beta-2
Fix Version/s: 1.8.6, 2.0-beta-3
Component/s: GroovyScriptEngine
Labels:
None
Environment:
does not matter

Number of attachments :
0

Description

The "call" - method in SecureASTCustomzer doesn't check class methods content
Instead of

  BlockStatement bstmt = ast.getStatementBlock();
  bstmt.visit(new SecuringCodeVisitor());

should be:

 BlockStatement bstmt = ast.getStatementBlock();
        SecuringCodeVisitor visitor = new SecuringCodeVisitor();
        bstmt.visit(visitor);
        for (ClassNode clNode : ast.getClasses()) {
            for ( MethodNode methodNode : clNode.getMethods()) {
                if (methodNode.getCode() instanceof BlockStatement) {
                    BlockStatement blst = (BlockStatement) methodNode.getCode();
                    blst.visit(visitor);
                }
            }

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Cedric Champeau added a comment - 02/Feb/12 10:58 AM

Can you attach a test case which demonstrates the problem? Thanks!

Show

Cedric Champeau added a comment - 02/Feb/12 10:58 AM Can you attach a test case which demonstrates the problem? Thanks!

Hide

Permalink

Cedric Champeau added a comment - 06/Feb/12 5:03 AM

https://github.com/groovy/groovy-core/commit/dda7e0a0f5de7fdd676a83d482dbdd5ae4f82f7f

Show

Cedric Champeau added a comment - 06/Feb/12 5:03 AM https://github.com/groovy/groovy-core/commit/dda7e0a0f5de7fdd676a83d482dbdd5ae4f82f7f

People

Assignee:

Cedric Champeau

Reporter:

Michael Raschkowski

Vote (0)

Watch (0)

Dates

Created:

02/Feb/12 10:16 AM

Updated:

12/Feb/12 4:03 AM

Resolved:

06/Feb/12 5:03 AM