Package org.codehaus.groovy.control.customizers

Class SecureASTCustomizer

  • public class SecureASTCustomizer
extends CompilationCustomizer
    This customizer allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. For example, if you only want to allow arithmetic operations in a groovy shell, you can configure this customizer to restrict package imports, method calls and so on.

    Most of the security customization options found in this class work with either allowed or disallowed lists. This means that, for a single option, you can set an allowed list OR a disallowed list, but not both. You can mix allowed/disallowed strategies for different options. For example, you can have an allowed import list and a disallowed tokens list.

    The recommended way of securing shells is to use allowed lists because it is guaranteed that future features of the Groovy language won't be accidentally allowed unless explicitly added to the allowed list. Using disallowed lists, you can limit the features of the language constructs supported by your shell by opting out, but new language features are then implicitly also available and this may not be desirable. The implication is that you might need to update your configuration with each new release.

    If neither an allowed list nor a disallowed list is set, then everything is permitted.

    Combinations of import and star import constraints are authorized as long as you use the same type of list for both. For example, you may use an import allowed list and a star import allowed list together, but you cannot use an import allowed list with a star import disallowed list. Static imports are handled separately, meaning that disallowing an import does not prevent from allowing a static import.

    Eventually, if the features provided here are not sufficient, you may implement custom AST filtering handlers, either implementing the SecureASTCustomizer.StatementChecker interface or SecureASTCustomizer.ExpressionChecker interface then register your handlers thanks to the addExpressionCheckers(org.codehaus.groovy.control.customizers.SecureASTCustomizer.ExpressionChecker...) and addStatementCheckers(org.codehaus.groovy.control.customizers.SecureASTCustomizer.StatementChecker...) methods.

    Here is an example of usage. We will create a groovy classloader which only supports arithmetic operations and imports the java.lang.Math classes by default. 

     final ImportCustomizer imports = new ImportCustomizer().addStaticStars('java.lang.Math') // add static import of java.lang.Math
     final SecureASTCustomizer secure = new SecureASTCustomizer()
     secure.with {
         closuresAllowed = false
         methodDefinitionAllowed = false

         allowedImports = []
         allowedStaticImports = []
         allowedStaticStarImports = ['java.lang.Math'] // only java.lang.Math is allowed

         allowedTokens = [
                 PLUS,
                 MINUS,
                 MULTIPLY,
                 DIVIDE,
                 MOD,
                 POWER,
                 PLUS_PLUS,
                 MINUS_MINUS,
                 COMPARE_EQUAL,
                 COMPARE_NOT_EQUAL,
                 COMPARE_LESS_THAN,
                 COMPARE_LESS_THAN_EQUAL,
                 COMPARE_GREATER_THAN,
                 COMPARE_GREATER_THAN_EQUAL,
         ].asImmutable()

         allowedConstantTypesClasses = [
                 Integer,
                 Float,
                 Long,
                 Double,
                 BigDecimal,
                 Integer.TYPE,
                 Long.TYPE,
                 Float.TYPE,
                 Double.TYPE
         ].asImmutable()

         allowedReceiversClasses = [
                 Math,
                 Integer,
                 Float,
                 Double,
                 Long,
                 BigDecimal
         ].asImmutable()
     }
     CompilerConfiguration config = new CompilerConfiguration()
     config.addCompilationCustomizers(imports, secure)
     GroovyClassLoader loader = new GroovyClassLoader(this.class.classLoader, config)
    Since:
    1.8.0

    • Constructor Detail

      • SecureASTCustomizer

        public SecureASTCustomizer()

    • Method Detail

      • isMethodDefinitionAllowed

        public boolean isMethodDefinitionAllowed()

      • setMethodDefinitionAllowed

        public void setMethodDefinitionAllowed​(boolean methodDefinitionAllowed)

      • isPackageAllowed

        public boolean isPackageAllowed()

      • isClosuresAllowed

        public boolean isClosuresAllowed()

      • setClosuresAllowed

        public void setClosuresAllowed​(boolean closuresAllowed)

      • setPackageAllowed

        public void setPackageAllowed​(boolean packageAllowed)

      • getDisallowedImports

        public java.util.List<java.lang.String> getDisallowedImports()

      • getImportsBlacklist

        public java.util.List<java.lang.String> getImportsBlacklist()
        Legacy alias for getDisallowedImports()

      • setDisallowedImports

        public void setDisallowedImports​(java.util.List<java.lang.String> disallowedImports)

      • setImportsBlacklist

        public void setImportsBlacklist​(java.util.List<java.lang.String> disallowedImports)
        Legacy alias for setDisallowedImports(List)

      • getAllowedImports

        public java.util.List<java.lang.String> getAllowedImports()

      • getImportsWhitelist

        public java.util.List<java.lang.String> getImportsWhitelist()
        Legacy alias for getAllowedImports()

      • setAllowedImports

        public void setAllowedImports​(java.util.List<java.lang.String> allowedImports)

      • setImportsWhitelist

        public void setImportsWhitelist​(java.util.List<java.lang.String> allowedImports)
        Legacy alias for setAllowedImports(List)

      • getDisallowedStarImports

        public java.util.List<java.lang.String> getDisallowedStarImports()

      • getStarImportsBlacklist

        public java.util.List<java.lang.String> getStarImportsBlacklist()
        Legacy alias for getDisallowedStarImports()

      • setDisallowedStarImports

        public void setDisallowedStarImports​(java.util.List<java.lang.String> disallowedStarImports)

      • setStarImportsBlacklist

        public void setStarImportsBlacklist​(java.util.List<java.lang.String> disallowedStarImports)
        Legacy alias for setDisallowedStarImports(List)

      • getAllowedStarImports

        public java.util.List<java.lang.String> getAllowedStarImports()

      • getStarImportsWhitelist

        public java.util.List<java.lang.String> getStarImportsWhitelist()
        Legacy alias for getAllowedStarImports()

      • setAllowedStarImports

        public void setAllowedStarImports​(java.util.List<java.lang.String> allowedStarImports)

      • setStarImportsWhitelist

        public void setStarImportsWhitelist​(java.util.List<java.lang.String> allowedStarImports)
        Legacy alias for setAllowedStarImports(List)

      • getDisallowedStaticImports

        public java.util.List<java.lang.String> getDisallowedStaticImports()

      • getStaticImportsBlacklist

        public java.util.List<java.lang.String> getStaticImportsBlacklist()
        Legacy alias for getDisallowedStaticImports()

      • setDisallowedStaticImports

        public void setDisallowedStaticImports​(java.util.List<java.lang.String> disallowedStaticImports)

      • setStaticImportsBlacklist

        public void setStaticImportsBlacklist​(java.util.List<java.lang.String> disallowedStaticImports)
        Legacy alias for setDisallowedStaticImports(List)

      • getAllowedStaticImports

        public java.util.List<java.lang.String> getAllowedStaticImports()

      • getStaticImportsWhitelist

        public java.util.List<java.lang.String> getStaticImportsWhitelist()
        Legacy alias for getAllowedStaticImports()

      • setAllowedStaticImports

        public void setAllowedStaticImports​(java.util.List<java.lang.String> allowedStaticImports)

      • setStaticImportsWhitelist

        public void setStaticImportsWhitelist​(java.util.List<java.lang.String> allowedStaticImports)
        Legacy alias for setAllowedStaticImports(List)

      • getDisallowedStaticStarImports

        public java.util.List<java.lang.String> getDisallowedStaticStarImports()

      • setDisallowedStaticStarImports

        public void setDisallowedStaticStarImports​(java.util.List<java.lang.String> disallowedStaticStarImports)

      • setStaticStarImportsBlacklist

        public void setStaticStarImportsBlacklist​(java.util.List<java.lang.String> disallowedStaticStarImports)
        Legacy alias for setDisallowedStaticStarImports(List)

      • getAllowedStaticStarImports

        public java.util.List<java.lang.String> getAllowedStaticStarImports()

      • getStaticStarImportsWhitelist

        public java.util.List<java.lang.String> getStaticStarImportsWhitelist()
        Legacy alias for getAllowedStaticStarImports()

      • setAllowedStaticStarImports

        public void setAllowedStaticStarImports​(java.util.List<java.lang.String> allowedStaticStarImports)

      • setStaticStarImportsWhitelist

        public void setStaticStarImportsWhitelist​(java.util.List<java.lang.String> allowedStaticStarImports)
        Legacy alias for setAllowedStaticStarImports(List)

      • getDisallowedExpressions

        public java.util.List<java.lang.Class<? extends Expression>> getDisallowedExpressions()

      • setDisallowedExpressions

        public void setDisallowedExpressions​(java.util.List<java.lang.Class<? extends Expression>> disallowedExpressions)

      • getAllowedExpressions

        public java.util.List<java.lang.Class<? extends Expression>> getAllowedExpressions()

      • setAllowedExpressions

        public void setAllowedExpressions​(java.util.List<java.lang.Class<? extends Expression>> allowedExpressions)

      • setExpressionsWhitelist

        public void setExpressionsWhitelist​(java.util.List<java.lang.Class<? extends Expression>> allowedExpressions)
        Legacy alias for setAllowedExpressions(List)

      • getDisallowedStatements

        public java.util.List<java.lang.Class<? extends Statement>> getDisallowedStatements()

      • setDisallowedStatements

        public void setDisallowedStatements​(java.util.List<java.lang.Class<? extends Statement>> disallowedStatements)

      • getAllowedStatements

        public java.util.List<java.lang.Class<? extends Statement>> getAllowedStatements()

      • setAllowedStatements

        public void setAllowedStatements​(java.util.List<java.lang.Class<? extends Statement>> allowedStatements)

      • setStatementsWhitelist

        public void setStatementsWhitelist​(java.util.List<java.lang.Class<? extends Statement>> allowedStatements)
        Legacy alias for setAllowedStatements(List)

      • isIndirectImportCheckEnabled

        public boolean isIndirectImportCheckEnabled()

      • setIndirectImportCheckEnabled

        public void setIndirectImportCheckEnabled​(boolean indirectImportCheckEnabled)
        Set this option to true if you want your import rules to be checked against every class node. This means that if someone uses a fully qualified class name, then it will also be checked against the import rules, preventing, for example, instantiation of classes without imports thanks to FQCN.
        Parameters:
        indirectImportCheckEnabled - set to true to enable indirect checks

      • getDisallowedTokens

        public java.util.List<java.lang.Integer> getDisallowedTokens()

      • getTokensBlacklist

        public java.util.List<java.lang.Integer> getTokensBlacklist()
        Legacy alias for getDisallowedTokens()

      • setDisallowedTokens

        public void setDisallowedTokens​(java.util.List<java.lang.Integer> disallowedTokens)
        Sets the list of tokens which are not permitted.
        Parameters:
        disallowedTokens - the tokens. The values of the tokens must be those of Types

      • setTokensBlacklist

        public void setTokensBlacklist​(java.util.List<java.lang.Integer> disallowedTokens)
        Alias for setDisallowedTokens(List).

      • getAllowedTokens

        public java.util.List<java.lang.Integer> getAllowedTokens()

      • getTokensWhitelist

        public java.util.List<java.lang.Integer> getTokensWhitelist()
        Legacy alias for getAllowedTokens()

      • setAllowedTokens

        public void setAllowedTokens​(java.util.List<java.lang.Integer> allowedTokens)
        Sets the list of tokens which are permitted.
        Parameters:
        allowedTokens - the tokens. The values of the tokens must be those of Types

      • setTokensWhitelist

        public void setTokensWhitelist​(java.util.List<java.lang.Integer> allowedTokens)
        Legacy alias for setAllowedTokens(List)

      • getDisallowedConstantTypes

        public java.util.List<java.lang.String> getDisallowedConstantTypes()

      • getConstantTypesBlackList

        public java.util.List<java.lang.String> getConstantTypesBlackList()
        Legacy alias for getDisallowedConstantTypes()

      • setConstantTypesBlackList

        public void setConstantTypesBlackList​(java.util.List<java.lang.String> constantTypesBlackList)

      • getAllowedConstantTypes

        public java.util.List<java.lang.String> getAllowedConstantTypes()

      • getConstantTypesWhiteList

        public java.util.List<java.lang.String> getConstantTypesWhiteList()
        Legacy alias for getAllowedStatements()

      • setAllowedConstantTypes

        public void setAllowedConstantTypes​(java.util.List<java.lang.String> allowedConstantTypes)

      • setConstantTypesWhiteList

        public void setConstantTypesWhiteList​(java.util.List<java.lang.String> allowedConstantTypes)
        Legacy alias for setAllowedConstantTypes(List)

      • setAllowedConstantTypesClasses

        public void setAllowedConstantTypesClasses​(java.util.List<java.lang.Class> allowedConstantTypes)
        An alternative way of setting constant types.
        Parameters:
        allowedConstantTypes - a list of classes.

      • setConstantTypesClassesWhiteList

        public void setConstantTypesClassesWhiteList​(java.util.List<java.lang.Class> allowedConstantTypes)
        Legacy alias for setAllowedConstantTypesClasses(List)

      • setDisallowedConstantTypesClasses

        public void setDisallowedConstantTypesClasses​(java.util.List<java.lang.Class> disallowedConstantTypes)
        An alternative way of setting constant types.
        Parameters:
        disallowedConstantTypes - a list of classes.

      • setConstantTypesClassesBlackList

        public void setConstantTypesClassesBlackList​(java.util.List<java.lang.Class> disallowedConstantTypes)
        Legacy alias for setDisallowedConstantTypesClasses(List)

      • getDisallowedReceivers

        public java.util.List<java.lang.String> getDisallowedReceivers()

      • getReceiversBlackList

        public java.util.List<java.lang.String> getReceiversBlackList()
        Legacy alias for getDisallowedReceivers()

      • setDisallowedReceivers

        public void setDisallowedReceivers​(java.util.List<java.lang.String> disallowedReceivers)
        Sets the list of classes which deny method calls. Please note that since Groovy is a dynamic language, and this class performs a static type check, it will be relatively simple to bypass any disallowed list unless the disallowed receivers list contains, at a minimum, Object, Script, GroovyShell, and Eval. Additionally, it is necessary to also have MethodPointerExpression in the disallowed expressions list for the disallowed receivers list to function as a security check.
        Parameters:
        disallowedReceivers - the list of refused classes, as fully qualified names

      • setReceiversBlackList

        public void setReceiversBlackList​(java.util.List<java.lang.String> disallowedReceivers)
        Legacy alias for setDisallowedReceivers(List)

      • setDisallowedReceiversClasses

        public void setDisallowedReceiversClasses​(java.util.List<java.lang.Class> disallowedReceivers)
        An alternative way of setting receiver classes.
        Parameters:
        disallowedReceivers - a list of classes.

      • setReceiversClassesBlackList

        public void setReceiversClassesBlackList​(java.util.List<java.lang.Class> disallowedReceivers)
        Legacy alias for setDisallowedReceiversClasses(List).

      • getAllowedReceivers

        public java.util.List<java.lang.String> getAllowedReceivers()

      • getReceiversWhiteList

        public java.util.List<java.lang.String> getReceiversWhiteList()
        Legacy alias for getAllowedReceivers()

      • setAllowedReceivers

        public void setAllowedReceivers​(java.util.List<java.lang.String> allowedReceivers)
        Sets the list of classes which may accept method calls.
        Parameters:
        allowedReceivers - the list of accepted classes, as fully qualified names

      • setReceiversWhiteList

        public void setReceiversWhiteList​(java.util.List<java.lang.String> allowedReceivers)
        Legacy alias for setAllowedReceivers(List)

      • setAllowedReceiversClasses

        public void setAllowedReceiversClasses​(java.util.List<java.lang.Class> allowedReceivers)
        An alternative way of setting receiver classes.
        Parameters:
        allowedReceivers - a list of classes.

      • setReceiversClassesWhiteList

        public void setReceiversClassesWhiteList​(java.util.List<java.lang.Class> allowedReceivers)
        Legacy alias for setAllowedReceiversClasses(List)