groovy
  1. groovy
  2. GROOVY-5277

SecureASTCustomizer doesn't check class methods

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.8.4, 1.8.5, 2.0-beta-2
    • Fix Version/s: 1.8.6, 2.0-beta-3
    • Component/s: GroovyScriptEngine
    • Labels:
      None
    • Environment:
      does not matter
    • Number of attachments :
      0

      Description

      The "call" - method in SecureASTCustomzer doesn't check class methods content
      Instead of

        BlockStatement bstmt = ast.getStatementBlock();
        bstmt.visit(new SecuringCodeVisitor());
      

      should be:

       BlockStatement bstmt = ast.getStatementBlock();
              SecuringCodeVisitor visitor = new SecuringCodeVisitor();
              bstmt.visit(visitor);
              for (ClassNode clNode : ast.getClasses()) {
                  for ( MethodNode methodNode : clNode.getMethods()) {
                      if (methodNode.getCode() instanceof BlockStatement) {
                          BlockStatement blst = (BlockStatement) methodNode.getCode();
                          blst.visit(visitor);
                      }
                  }
      

        Activity

          People

          • Assignee:
            CÚdric Champeau
            Reporter:
            Michael Raschkowski
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: