Class SecureASTCustomizer
- All Implemented Interfaces:
CompilationUnit.IPrimaryClassNodeOperation
Most of the security customization options found in this class work with either allowed or disallowed lists. This means that, for a single option, you can set an allowed list OR a disallowed list, but not both. You can mix allowed/disallowed strategies for different options. For example, you can have an allowed import list and a disallowed tokens list.
The recommended way of securing shells is to use allowed lists because it is guaranteed that future features of the Groovy language won't be accidentally allowed unless explicitly added to the allowed list. Using disallowed lists, you can limit the features of the language constructs supported by your shell by opting out, but new language features are then implicitly also available and this may not be desirable. The implication is that you might need to update your configuration with each new release.
If neither an allowed list nor a disallowed list is set, then everything is permitted.
Combinations of import and star import constraints are authorized as long as you use the same type of list for both. For example, you may use an import allowed list and a star import allowed list together, but you cannot use an import allowed list with a star import disallowed list. Static imports are handled separately, meaning that disallowing an import does not prevent from allowing a static import.
Eventually, if the features provided here are not sufficient, you may implement custom AST filtering handlers, either
implementing the SecureASTCustomizer.StatementChecker
interface or SecureASTCustomizer.ExpressionChecker
interface then register your
handlers thanks to the addExpressionCheckers(ExpressionChecker...)
and addStatementCheckers(StatementChecker...)
methods.
Here is an example of usage. We will create a groovy classloader which only supports arithmetic operations and imports
the java.lang.Math
classes by default.
final ImportCustomizer imports = new ImportCustomizer().addStaticStars('java.lang.Math') // add static import of java.lang.Math final SecureASTCustomizer secure = new SecureASTCustomizer() secure.with { closuresAllowed = false methodDefinitionAllowed = false allowedImports = [] allowedStaticImports = [] allowedStaticStarImports = ['java.lang.Math'] // only java.lang.Math is allowed allowedTokens = [ PLUS, MINUS, MULTIPLY, DIVIDE, MOD, POWER, PLUS_PLUS, MINUS_MINUS, COMPARE_EQUAL, COMPARE_NOT_EQUAL, COMPARE_LESS_THAN, COMPARE_LESS_THAN_EQUAL, COMPARE_GREATER_THAN, COMPARE_GREATER_THAN_EQUAL, ].asImmutable() allowedConstantTypesClasses = [ Integer, Float, Long, Double, BigDecimal, Integer.TYPE, Long.TYPE, Float.TYPE, Double.TYPE ].asImmutable() allowedReceiversClasses = [ Math, Integer, Float, Double, Long, BigDecimal ].asImmutable() } CompilerConfiguration config = new CompilerConfiguration() config.addCompilationCustomizers(imports, secure) GroovyClassLoader loader = new GroovyClassLoader(this.class.classLoader, config)
Note: SecureASTCustomizer
allows you to lock down the grammar of scripts but by itself isn't intended
to be the complete solution of all security issues when running scripts on the JVM. You might also want to
consider setting the groovy.grape.enable
System property to false, augmenting use of the customizer
with additional techniques, and following standard security principles for JVM applications.
For more information, please read:
- Since:
- 1.8.0
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic interface
This interface allows the user to provide a custom expression checker if the dis/allowed expression lists are not sufficientprotected class
This visitor directly implements theGroovyCodeVisitor
interface instead of using theCodeVisitorSupport
class to make sure that future features of the language gets managed by this visitor.static interface
This interface allows the user to provide a custom statement checker if the dis/allowed statement lists are not sufficient -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
void
addStatementCheckers
(SecureASTCustomizer.StatementChecker... checkers) protected void
assertImportIsAllowed
(String className) protected void
assertStarImportIsAllowed
(String packageName) protected void
assertStaticImportIsAllowed
(String member, String className) void
call
(SourceUnit source, GeneratorContext context, ClassNode classNode) protected void
protected GroovyCodeVisitor
protected static List<MethodNode>
filterMethods
(ClassNode owner) List<Class<? extends Expression>>
Deprecated.Deprecated.List<Class<? extends Expression>>
List<Class<? extends Expression>>
Deprecated.List<Class<? extends Expression>>
Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.boolean
boolean
boolean
boolean
void
setAllowedConstantTypes
(List<String> allowedConstantTypes) void
setAllowedConstantTypesClasses
(List<Class> allowedConstantTypes) An alternative way of setting constant types.void
setAllowedExpressions
(List<Class<? extends Expression>> allowedExpressions) void
setAllowedImports
(List<String> allowedImports) void
setAllowedReceivers
(List<String> allowedReceivers) Sets the list of classes which may accept method calls.void
setAllowedReceiversClasses
(List<Class> allowedReceivers) An alternative way of settingreceiver classes
.void
setAllowedStarImports
(List<String> allowedStarImports) void
setAllowedStatements
(List<Class<? extends Statement>> allowedStatements) void
setAllowedStaticImports
(List<String> allowedStaticImports) void
setAllowedStaticStarImports
(List<String> allowedStaticStarImports) void
setAllowedTokens
(List<Integer> allowedTokens) Sets the list of tokens which are permitted.void
setClosuresAllowed
(boolean closuresAllowed) void
setConstantTypesBlackList
(List<String> constantTypesBlackList) void
setConstantTypesClassesBlackList
(List<Class> disallowedConstantTypes) Deprecated.void
setConstantTypesClassesWhiteList
(List<Class> allowedConstantTypes) Deprecated.void
setConstantTypesWhiteList
(List<String> allowedConstantTypes) Deprecated.void
setDisallowedConstantTypesClasses
(List<Class> disallowedConstantTypes) An alternative way of setting constant types.void
setDisallowedExpressions
(List<Class<? extends Expression>> disallowedExpressions) void
setDisallowedImports
(List<String> disallowedImports) void
setDisallowedReceivers
(List<String> disallowedReceivers) Sets the list of classes which deny method calls.void
setDisallowedReceiversClasses
(List<Class> disallowedReceivers) An alternative way of settingreceiver classes
.void
setDisallowedStarImports
(List<String> disallowedStarImports) void
setDisallowedStatements
(List<Class<? extends Statement>> disallowedStatements) void
setDisallowedStaticImports
(List<String> disallowedStaticImports) void
setDisallowedStaticStarImports
(List<String> disallowedStaticStarImports) void
setDisallowedTokens
(List<Integer> disallowedTokens) Sets the list of tokens which are not permitted.void
setExpressionsBlacklist
(List<Class<? extends Expression>> disallowedExpressions) Deprecated.void
setExpressionsWhitelist
(List<Class<? extends Expression>> allowedExpressions) Deprecated.void
setImportsBlacklist
(List<String> disallowedImports) Deprecated.void
setImportsWhitelist
(List<String> allowedImports) Deprecated.void
setIndirectImportCheckEnabled
(boolean indirectImportCheckEnabled) Set this option to true if you want your import rules to be checked against every class node.void
setMethodDefinitionAllowed
(boolean methodDefinitionAllowed) void
setPackageAllowed
(boolean packageAllowed) void
setReceiversBlackList
(List<String> disallowedReceivers) Deprecated.void
setReceiversClassesBlackList
(List<Class> disallowedReceivers) Deprecated.void
setReceiversClassesWhiteList
(List<Class> allowedReceivers) Deprecated.void
setReceiversWhiteList
(List<String> allowedReceivers) Deprecated.void
setStarImportsBlacklist
(List<String> disallowedStarImports) Deprecated.void
setStarImportsWhitelist
(List<String> allowedStarImports) Deprecated.void
setStatementsBlacklist
(List<Class<? extends Statement>> disallowedStatements) Deprecated.void
setStatementsWhitelist
(List<Class<? extends Statement>> allowedStatements) Deprecated.void
setStaticImportsBlacklist
(List<String> disallowedStaticImports) Deprecated.void
setStaticImportsWhitelist
(List<String> allowedStaticImports) Deprecated.void
setStaticStarImportsBlacklist
(List<String> disallowedStaticStarImports) Deprecated.void
setStaticStarImportsWhitelist
(List<String> allowedStaticStarImports) Deprecated.void
setTokensBlacklist
(List<Integer> disallowedTokens) Deprecated.void
setTokensWhitelist
(List<Integer> allowedTokens) Deprecated.Methods inherited from class org.codehaus.groovy.control.customizers.CompilationCustomizer
getPhase
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.codehaus.groovy.control.CompilationUnit.IPrimaryClassNodeOperation
doPhaseOperation, needSortedInput
-
Constructor Details
-
SecureASTCustomizer
public SecureASTCustomizer()
-
-
Method Details
-
isMethodDefinitionAllowed
public boolean isMethodDefinitionAllowed() -
setMethodDefinitionAllowed
public void setMethodDefinitionAllowed(boolean methodDefinitionAllowed) -
isPackageAllowed
public boolean isPackageAllowed() -
isClosuresAllowed
public boolean isClosuresAllowed() -
setClosuresAllowed
public void setClosuresAllowed(boolean closuresAllowed) -
setPackageAllowed
public void setPackageAllowed(boolean packageAllowed) -
getDisallowedImports
-
getImportsBlacklist
Deprecated.Legacy alias forgetDisallowedImports()
-
setDisallowedImports
-
setImportsBlacklist
Deprecated.Legacy alias forsetDisallowedImports(List)
-
getAllowedImports
-
getImportsWhitelist
Deprecated.Legacy alias forgetAllowedImports()
-
setAllowedImports
-
setImportsWhitelist
Deprecated.Legacy alias forsetAllowedImports(List)
-
getDisallowedStarImports
-
getStarImportsBlacklist
Deprecated.Legacy alias forgetDisallowedStarImports()
-
setDisallowedStarImports
-
setStarImportsBlacklist
Deprecated.Legacy alias forsetDisallowedStarImports(List)
-
getAllowedStarImports
-
getStarImportsWhitelist
Deprecated.Legacy alias forgetAllowedStarImports()
-
setAllowedStarImports
-
setStarImportsWhitelist
Deprecated.Legacy alias forsetAllowedStarImports(List)
-
getDisallowedStaticImports
-
getStaticImportsBlacklist
Deprecated.Legacy alias forgetDisallowedStaticImports()
-
setDisallowedStaticImports
-
setStaticImportsBlacklist
Deprecated.Legacy alias forsetDisallowedStaticImports(List)
-
getAllowedStaticImports
-
getStaticImportsWhitelist
Deprecated.Legacy alias forgetAllowedStaticImports()
-
setAllowedStaticImports
-
setStaticImportsWhitelist
Deprecated.Legacy alias forsetAllowedStaticImports(List)
-
getDisallowedStaticStarImports
-
getStaticStarImportsBlacklist
Deprecated.Legacy alias forgetDisallowedStaticStarImports()
-
setDisallowedStaticStarImports
-
setStaticStarImportsBlacklist
Deprecated.Legacy alias forsetDisallowedStaticStarImports(List)
-
getAllowedStaticStarImports
-
getStaticStarImportsWhitelist
Deprecated.Legacy alias forgetAllowedStaticStarImports()
-
setAllowedStaticStarImports
-
setStaticStarImportsWhitelist
Deprecated.Legacy alias forsetAllowedStaticStarImports(List)
-
getDisallowedExpressions
-
getExpressionsBlacklist
Deprecated.Legacy alias forgetDisallowedExpressions()
-
setDisallowedExpressions
-
setExpressionsBlacklist
@Deprecated public void setExpressionsBlacklist(List<Class<? extends Expression>> disallowedExpressions) Deprecated.Legacy alias forsetDisallowedExpressions(List)
-
getAllowedExpressions
-
getExpressionsWhitelist
Deprecated.Legacy alias forgetAllowedExpressions()
-
setAllowedExpressions
-
setExpressionsWhitelist
@Deprecated public void setExpressionsWhitelist(List<Class<? extends Expression>> allowedExpressions) Deprecated.Legacy alias forsetAllowedExpressions(List)
-
getDisallowedStatements
-
getStatementsBlacklist
Deprecated.Legacy alias forgetDisallowedStatements()
-
setDisallowedStatements
-
setStatementsBlacklist
@Deprecated public void setStatementsBlacklist(List<Class<? extends Statement>> disallowedStatements) Deprecated.Legacy alias forsetDisallowedStatements(List)
-
getAllowedStatements
-
getStatementsWhitelist
Deprecated.Legacy alias forgetAllowedStatements()
-
setAllowedStatements
-
setStatementsWhitelist
Deprecated.Legacy alias forsetAllowedStatements(List)
-
isIndirectImportCheckEnabled
public boolean isIndirectImportCheckEnabled() -
setIndirectImportCheckEnabled
public void setIndirectImportCheckEnabled(boolean indirectImportCheckEnabled) Set this option to true if you want your import rules to be checked against every class node. This means that if someone uses a fully qualified class name, then it will also be checked against the import rules, preventing, for example, instantiation of classes without imports thanks to FQCN.- Parameters:
indirectImportCheckEnabled
- set to true to enable indirect checks
-
getDisallowedTokens
-
getTokensBlacklist
Deprecated.Legacy alias forgetDisallowedTokens()
-
setDisallowedTokens
Sets the list of tokens which are not permitted.- Parameters:
disallowedTokens
- the tokens. The values of the tokens must be those ofTypes
-
setTokensBlacklist
Deprecated.Legacy alias forsetDisallowedTokens(List)
. -
getAllowedTokens
-
getTokensWhitelist
Deprecated.Legacy alias forgetAllowedTokens()
-
setAllowedTokens
Sets the list of tokens which are permitted.- Parameters:
allowedTokens
- the tokens. The values of the tokens must be those ofTypes
-
setTokensWhitelist
Deprecated.Legacy alias forsetAllowedTokens(List)
-
addStatementCheckers
-
addExpressionCheckers
-
getDisallowedConstantTypes
-
getConstantTypesBlackList
Deprecated.Legacy alias forgetDisallowedConstantTypes()
-
setConstantTypesBlackList
-
getAllowedConstantTypes
-
getConstantTypesWhiteList
Deprecated.Legacy alias forgetAllowedStatements()
-
setAllowedConstantTypes
-
setConstantTypesWhiteList
Deprecated.Legacy alias forsetAllowedConstantTypes(List)
-
setAllowedConstantTypesClasses
An alternative way of setting constant types.- Parameters:
allowedConstantTypes
- a list of classes.
-
setConstantTypesClassesWhiteList
Deprecated.Legacy alias forsetAllowedConstantTypesClasses(List)
-
setDisallowedConstantTypesClasses
An alternative way of setting constant types.- Parameters:
disallowedConstantTypes
- a list of classes.
-
setConstantTypesClassesBlackList
Deprecated.Legacy alias forsetDisallowedConstantTypesClasses(List)
-
getDisallowedReceivers
-
getReceiversBlackList
Deprecated.Legacy alias forgetDisallowedReceivers()
-
setDisallowedReceivers
Sets the list of classes which deny method calls. Please note that since Groovy is a dynamic language, and this class performs a static type check, it will be relatively simple to bypass any disallowed list unless the disallowed receivers list contains, at a minimum, Object, Script, GroovyShell, and Eval. Additionally, it is necessary to also have MethodPointerExpression in the disallowed expressions list for the disallowed receivers list to function as a security check.- Parameters:
disallowedReceivers
- the list of refused classes, as fully qualified names
-
setReceiversBlackList
Deprecated.Legacy alias forsetDisallowedReceivers(List)
-
setDisallowedReceiversClasses
An alternative way of settingreceiver classes
.- Parameters:
disallowedReceivers
- a list of classes.
-
setReceiversClassesBlackList
Deprecated.Legacy alias forsetDisallowedReceiversClasses(List)
. -
getAllowedReceivers
-
getReceiversWhiteList
Deprecated.Legacy alias forgetAllowedReceivers()
-
setAllowedReceivers
Sets the list of classes which may accept method calls.- Parameters:
allowedReceivers
- the list of accepted classes, as fully qualified names
-
setReceiversWhiteList
Deprecated.Legacy alias forsetAllowedReceivers(List)
-
setAllowedReceiversClasses
An alternative way of settingreceiver classes
.- Parameters:
allowedReceivers
- a list of classes.
-
setReceiversClassesWhiteList
Deprecated.Legacy alias forsetAllowedReceiversClasses(List)
-
call
public void call(SourceUnit source, GeneratorContext context, ClassNode classNode) throws CompilationFailedException - Throws:
CompilationFailedException
-
createGroovyCodeVisitor
-
checkMethodDefinitionAllowed
-
filterMethods
-
assertStarImportIsAllowed
-
assertImportIsAllowed
-
assertStaticImportIsAllowed
-