Class SecureASTCustomizer


  • public class SecureASTCustomizer
    extends CompilationCustomizer
    This customizer allows securing source code by controlling what code constructs are allowed. For example, if you only want to allow arithmetic operations in a groovy shell, you can configure this customizer to restrict package imports, method calls and so on.

    Most of the security customization options found in this class work with either blacklist or whitelist. This means that, for a single option, you can set a whitelist OR a blacklist, but not both. You can mix whitelist/blacklist strategies for different options. For example, you can have import whitelist and tokens blacklist.

    The recommended way of securing shells is to use whitelists because it is guaranteed that future features of the Groovy language won't be allowed by defaut. Using blacklists, you can limit the features of the languages by opting out, but new language features would require you to update your configuration.

    If you set neither a whitelist nor a blacklist, then everything is authorized.

    Combinations of import and star imports constraints are authorized as long as you use the same type of list for both. For example, you may use an import whitelist and a star import whitelist together, but you cannot use an import white list with a star import blacklist. static imports are handled separately, meaning that blacklisting an import does not prevent from using a static import.

    Eventually, if the features provided here are not sufficient, you may implement custom AST filtering handlers, either implementing the SecureASTCustomizer.StatementChecker interface or SecureASTCustomizer.ExpressionChecker interface then register your handlers thanks to the addExpressionCheckers(org.codehaus.groovy.control.customizers.SecureASTCustomizer.ExpressionChecker...) and addStatementCheckers(org.codehaus.groovy.control.customizers.SecureASTCustomizer.StatementChecker...) methods.

    Here is an example of usage. We will create a groovy classloader which only supports arithmetic operations and imports the java.lang.Math classes by default.

     final ImportCustomizer imports = new ImportCustomizer().addStaticStars('java.lang.Math') // add static import of java.lang.Math
                 final SecureASTCustomizer secure = new SecureASTCustomizer()
                 secure.with {
                     closuresAllowed = false
                     methodDefinitionAllowed = false
    
                     importsWhitelist = []
                     staticImportsWhitelist = []
                     staticStarImportsWhitelist = ['java.lang.Math'] // only java.lang.Math is allowed
    
                     tokensWhitelist = [
                             PLUS,
                             MINUS,
                             MULTIPLY,
                             DIVIDE,
                             MOD,
                             POWER,
                             PLUS_PLUS,
                             MINUS_MINUS,
                             COMPARE_EQUAL,
                             COMPARE_NOT_EQUAL,
                             COMPARE_LESS_THAN,
                             COMPARE_LESS_THAN_EQUAL,
                             COMPARE_GREATER_THAN,
                             COMPARE_GREATER_THAN_EQUAL,
                     ].asImmutable()
    
                     constantTypesClassesWhiteList = [
                             Integer,
                             Float,
                             Long,
                             Double,
                             BigDecimal,
                             Integer.TYPE,
                             Long.TYPE,
                             Float.TYPE,
                             Double.TYPE
                     ].asImmutable()
    
                     receiversClassesWhiteList = [
                             Math,
                             Integer,
                             Float,
                             Double,
                             Long,
                             BigDecimal
                     ].asImmutable()
                 }
                 CompilerConfiguration config = new CompilerConfiguration()
                 config.addCompilationCustomizers(imports, secure)
                 GroovyClassLoader loader = new GroovyClassLoader(this.class.classLoader, config)
      
    Since:
    1.8.0
    • Constructor Detail

      • SecureASTCustomizer

        public SecureASTCustomizer()
    • Method Detail

      • isMethodDefinitionAllowed

        public boolean isMethodDefinitionAllowed()
      • setMethodDefinitionAllowed

        public void setMethodDefinitionAllowed​(boolean methodDefinitionAllowed)
      • isPackageAllowed

        public boolean isPackageAllowed()
      • isClosuresAllowed

        public boolean isClosuresAllowed()
      • setClosuresAllowed

        public void setClosuresAllowed​(boolean closuresAllowed)
      • setPackageAllowed

        public void setPackageAllowed​(boolean packageAllowed)
      • getImportsBlacklist

        public List<String> getImportsBlacklist()
      • setImportsBlacklist

        public void setImportsBlacklist​(List<String> importsBlacklist)
      • getImportsWhitelist

        public List<String> getImportsWhitelist()
      • setImportsWhitelist

        public void setImportsWhitelist​(List<String> importsWhitelist)
      • getStarImportsBlacklist

        public List<String> getStarImportsBlacklist()
      • setStarImportsBlacklist

        public void setStarImportsBlacklist​(List<String> starImportsBlacklist)
      • getStarImportsWhitelist

        public List<String> getStarImportsWhitelist()
      • setStarImportsWhitelist

        public void setStarImportsWhitelist​(List<String> starImportsWhitelist)
      • getStaticImportsBlacklist

        public List<String> getStaticImportsBlacklist()
      • setStaticImportsBlacklist

        public void setStaticImportsBlacklist​(List<String> staticImportsBlacklist)
      • getStaticImportsWhitelist

        public List<String> getStaticImportsWhitelist()
      • setStaticImportsWhitelist

        public void setStaticImportsWhitelist​(List<String> staticImportsWhitelist)
      • getStaticStarImportsBlacklist

        public List<String> getStaticStarImportsBlacklist()
      • setStaticStarImportsBlacklist

        public void setStaticStarImportsBlacklist​(List<String> staticStarImportsBlacklist)
      • getStaticStarImportsWhitelist

        public List<String> getStaticStarImportsWhitelist()
      • setStaticStarImportsWhitelist

        public void setStaticStarImportsWhitelist​(List<String> staticStarImportsWhitelist)
      • setExpressionsBlacklist

        public void setExpressionsBlacklist​(List<Class<? extends Expression>> expressionsBlacklist)
      • setExpressionsWhitelist

        public void setExpressionsWhitelist​(List<Class<? extends Expression>> expressionsWhitelist)
      • getStatementsBlacklist

        public List<Class<? extends Statement>> getStatementsBlacklist()
      • setStatementsBlacklist

        public void setStatementsBlacklist​(List<Class<? extends Statement>> statementsBlacklist)
      • getStatementsWhitelist

        public List<Class<? extends Statement>> getStatementsWhitelist()
      • setStatementsWhitelist

        public void setStatementsWhitelist​(List<Class<? extends Statement>> statementsWhitelist)
      • getTokensBlacklist

        public List<Integer> getTokensBlacklist()
      • isIndirectImportCheckEnabled

        public boolean isIndirectImportCheckEnabled()
      • setIndirectImportCheckEnabled

        public void setIndirectImportCheckEnabled​(boolean indirectImportCheckEnabled)
        Set this option to true if you want your import rules to be checked against every class node. This means that if someone uses a fully qualified class name, then it will also be checked against the import rules, preventing, for example, instantiation of classes without imports thanks to FQCN.
        Parameters:
        indirectImportCheckEnabled - set to true to enable indirect checks
      • setTokensBlacklist

        public void setTokensBlacklist​(List<Integer> tokensBlacklist)
        Sets the list of tokens which are blacklisted.
        Parameters:
        tokensBlacklist - the tokens. The values of the tokens must be those of Types
      • getTokensWhitelist

        public List<Integer> getTokensWhitelist()
      • setTokensWhitelist

        public void setTokensWhitelist​(List<Integer> tokensWhitelist)
        Sets the list of tokens which are whitelisted.
        Parameters:
        tokensWhitelist - the tokens. The values of the tokens must be those of Types
      • getConstantTypesBlackList

        public List<String> getConstantTypesBlackList()
      • setConstantTypesBlackList

        public void setConstantTypesBlackList​(List<String> constantTypesBlackList)
      • getConstantTypesWhiteList

        public List<String> getConstantTypesWhiteList()
      • setConstantTypesWhiteList

        public void setConstantTypesWhiteList​(List<String> constantTypesWhiteList)
      • setConstantTypesClassesWhiteList

        public void setConstantTypesClassesWhiteList​(List<Class> constantTypesWhiteList)
        An alternative way of setting constant types.
        Parameters:
        constantTypesWhiteList - a list of classes.
      • setConstantTypesClassesBlackList

        public void setConstantTypesClassesBlackList​(List<Class> constantTypesBlackList)
        An alternative way of setting constant types.
        Parameters:
        constantTypesBlackList - a list of classes.
      • getReceiversBlackList

        public List<String> getReceiversBlackList()
      • setReceiversBlackList

        public void setReceiversBlackList​(List<String> receiversBlackList)
        Sets the list of classes which deny method calls. Please note that since Groovy is a dynamic language, and this class performs a static type check, it will be reletively simple to bypass any blacklist unless the receivers blacklist contains, at a minimum, Object, Script, GroovyShell, and Eval. Additionally, it is necessary to also blacklist MethodPointerExpression in the expressions blacklist for the receivers blacklist to function as a security check.
        Parameters:
        receiversBlackList - the list of refused classes, as fully qualified names
      • setReceiversClassesBlackList

        public void setReceiversClassesBlackList​(List<Class> receiversBlacklist)
        An alternative way of setting receiver classes.
        Parameters:
        receiversBlacklist - a list of classes.
      • getReceiversWhiteList

        public List<String> getReceiversWhiteList()
      • setReceiversWhiteList

        public void setReceiversWhiteList​(List<String> receiversWhiteList)
        Sets the list of classes which may accept method calls.
        Parameters:
        receiversWhiteList - the list of accepted classes, as fully qualified names
      • setReceiversClassesWhiteList

        public void setReceiversClassesWhiteList​(List<Class> receiversWhitelist)
        An alternative way of setting receiver classes.
        Parameters:
        receiversWhitelist - a list of classes.