Package org.codehaus.groovy.control.customizers

Class SecureASTCustomizer

java.lang.Object
org.codehaus.groovy.control.customizers.CompilationCustomizer
org.codehaus.groovy.control.customizers.SecureASTCustomizer
All Implemented Interfaces:
CompilationUnit.IPrimaryClassNodeOperation
public class SecureASTCustomizer
extends CompilationCustomizer
This customizer allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. For example, if you only want to allow arithmetic operations in a groovy shell, you can configure this customizer to restrict package imports, method calls and so on.

Most of the security customization options found in this class work with either allowed or disallowed lists. This means that, for a single option, you can set an allowed list OR a disallowed list, but not both. You can mix allowed/disallowed strategies for different options. For example, you can have an allowed import list and a disallowed tokens list.

The recommended way of securing shells is to use allowed lists because it is guaranteed that future features of the Groovy language won't be accidentally allowed unless explicitly added to the allowed list. Using disallowed lists, you can limit the features of the language constructs supported by your shell by opting out, but new language features are then implicitly also available and this may not be desirable. The implication is that you might need to update your configuration with each new release.

If neither an allowed list nor a disallowed list is set, then everything is permitted.

Combinations of import and star import constraints are authorized as long as you use the same type of list for both. For example, you may use an import allowed list and a star import allowed list together, but you cannot use an import allowed list with a star import disallowed list. Static imports are handled separately, meaning that disallowing an import does not prevent from allowing a static import.

Eventually, if the features provided here are not sufficient, you may implement custom AST filtering handlers, either implementing the SecureASTCustomizer.StatementChecker interface or SecureASTCustomizer.ExpressionChecker interface then register your handlers thanks to the addExpressionCheckers(org.codehaus.groovy.control.customizers.SecureASTCustomizer.ExpressionChecker...) and addStatementCheckers(org.codehaus.groovy.control.customizers.SecureASTCustomizer.StatementChecker...) methods.

Here is an example of usage. We will create a groovy classloader which only supports arithmetic operations and imports the java.lang.Math classes by default. 

 final ImportCustomizer imports = new ImportCustomizer().addStaticStars('java.lang.Math') // add static import of java.lang.Math
     final SecureASTCustomizer secure = new SecureASTCustomizer()
     secure.with {
         closuresAllowed = false
         methodDefinitionAllowed = false

         allowedImports = []
         allowedStaticImports = []
         allowedStaticStarImports = ['java.lang.Math'] // only java.lang.Math is allowed

         allowedTokens = [
                 PLUS,
                 MINUS,
                 MULTIPLY,
                 DIVIDE,
                 MOD,
                 POWER,
                 PLUS_PLUS,
                 MINUS_MINUS,
                 COMPARE_EQUAL,
                 COMPARE_NOT_EQUAL,
                 COMPARE_LESS_THAN,
                 COMPARE_LESS_THAN_EQUAL,
                 COMPARE_GREATER_THAN,
                 COMPARE_GREATER_THAN_EQUAL,
         ].asImmutable()

         allowedConstantTypesClasses = [
                 Integer,
                 Float,
                 Long,
                 Double,
                 BigDecimal,
                 Integer.TYPE,
                 Long.TYPE,
                 Float.TYPE,
                 Double.TYPE
         ].asImmutable()

         allowedReceiversClasses = [
                 Math,
                 Integer,
                 Float,
                 Double,
                 Long,
                 BigDecimal
         ].asImmutable()
     }
     CompilerConfiguration config = new CompilerConfiguration()
     config.addCompilationCustomizers(imports, secure)
     GroovyClassLoader loader = new GroovyClassLoader(this.class.classLoader, config)
Since:
1.8.0

  • Constructor Details

    • SecureASTCustomizer

      public SecureASTCustomizer()

  • Method Details

    • isMethodDefinitionAllowed

      public boolean isMethodDefinitionAllowed()

    • setMethodDefinitionAllowed

      public void setMethodDefinitionAllowed​(boolean methodDefinitionAllowed)

    • isPackageAllowed

      public boolean isPackageAllowed()

    • isClosuresAllowed

      public boolean isClosuresAllowed()

    • setClosuresAllowed

      public void setClosuresAllowed​(boolean closuresAllowed)

    • setPackageAllowed

      public void setPackageAllowed​(boolean packageAllowed)

    • getDisallowedImports

      public java.util.List<java.lang.String> getDisallowedImports()

    • getImportsBlacklist

      public java.util.List<java.lang.String> getImportsBlacklist()
      Legacy alias for getDisallowedImports()

    • setDisallowedImports

      public void setDisallowedImports​(java.util.List<java.lang.String> disallowedImports)

    • setImportsBlacklist

      public void setImportsBlacklist​(java.util.List<java.lang.String> disallowedImports)
      Legacy alias for setDisallowedImports(List)

    • getAllowedImports

      public java.util.List<java.lang.String> getAllowedImports()

    • getImportsWhitelist

      public java.util.List<java.lang.String> getImportsWhitelist()
      Legacy alias for getAllowedImports()

    • setAllowedImports

      public void setAllowedImports​(java.util.List<java.lang.String> allowedImports)

    • setImportsWhitelist

      public void setImportsWhitelist​(java.util.List<java.lang.String> allowedImports)
      Legacy alias for setAllowedImports(List)

    • getDisallowedStarImports

      public java.util.List<java.lang.String> getDisallowedStarImports()

    • getStarImportsBlacklist

      public java.util.List<java.lang.String> getStarImportsBlacklist()
      Legacy alias for getDisallowedStarImports()

    • setDisallowedStarImports

      public void setDisallowedStarImports​(java.util.List<java.lang.String> disallowedStarImports)

    • setStarImportsBlacklist

      public void setStarImportsBlacklist​(java.util.List<java.lang.String> disallowedStarImports)
      Legacy alias for setDisallowedStarImports(List)

    • getAllowedStarImports

      public java.util.List<java.lang.String> getAllowedStarImports()

    • getStarImportsWhitelist

      public java.util.List<java.lang.String> getStarImportsWhitelist()
      Legacy alias for getAllowedStarImports()

    • setAllowedStarImports

      public void setAllowedStarImports​(java.util.List<java.lang.String> allowedStarImports)

    • setStarImportsWhitelist

      public void setStarImportsWhitelist​(java.util.List<java.lang.String> allowedStarImports)
      Legacy alias for setAllowedStarImports(List)

    • getDisallowedStaticImports

      public java.util.List<java.lang.String> getDisallowedStaticImports()

    • getStaticImportsBlacklist

      public java.util.List<java.lang.String> getStaticImportsBlacklist()
      Legacy alias for getDisallowedStaticImports()

    • setDisallowedStaticImports

      public void setDisallowedStaticImports​(java.util.List<java.lang.String> disallowedStaticImports)

    • setStaticImportsBlacklist

      public void setStaticImportsBlacklist​(java.util.List<java.lang.String> disallowedStaticImports)
      Legacy alias for setDisallowedStaticImports(List)

    • getAllowedStaticImports

      public java.util.List<java.lang.String> getAllowedStaticImports()

    • getStaticImportsWhitelist

      public java.util.List<java.lang.String> getStaticImportsWhitelist()
      Legacy alias for getAllowedStaticImports()

    • setAllowedStaticImports

      public void setAllowedStaticImports​(java.util.List<java.lang.String> allowedStaticImports)

    • setStaticImportsWhitelist

      public void setStaticImportsWhitelist​(java.util.List<java.lang.String> allowedStaticImports)
      Legacy alias for setAllowedStaticImports(List)

    • getDisallowedStaticStarImports

      public java.util.List<java.lang.String> getDisallowedStaticStarImports()

    • getStaticStarImportsBlacklist

      public java.util.List<java.lang.String> getStaticStarImportsBlacklist()
      Legacy alias for getDisallowedStaticStarImports()

    • setDisallowedStaticStarImports

      public void setDisallowedStaticStarImports​(java.util.List<java.lang.String> disallowedStaticStarImports)

    • setStaticStarImportsBlacklist

      public void setStaticStarImportsBlacklist​(java.util.List<java.lang.String> disallowedStaticStarImports)
      Legacy alias for setDisallowedStaticStarImports(List)

    • getAllowedStaticStarImports

      public java.util.List<java.lang.String> getAllowedStaticStarImports()

    • getStaticStarImportsWhitelist

      public java.util.List<java.lang.String> getStaticStarImportsWhitelist()
      Legacy alias for getAllowedStaticStarImports()

    • setAllowedStaticStarImports

      public void setAllowedStaticStarImports​(java.util.List<java.lang.String> allowedStaticStarImports)

    • setStaticStarImportsWhitelist

      public void setStaticStarImportsWhitelist​(java.util.List<java.lang.String> allowedStaticStarImports)
      Legacy alias for setAllowedStaticStarImports(List)

    • getDisallowedExpressions

      public java.util.List<java.lang.Class<? extends Expression>> getDisallowedExpressions()

    • getExpressionsBlacklist

      public java.util.List<java.lang.Class<? extends Expression>> getExpressionsBlacklist()
      Legacy alias for getDisallowedExpressions()

    • setDisallowedExpressions

      public void setDisallowedExpressions​(java.util.List<java.lang.Class<? extends Expression>> disallowedExpressions)

    • setExpressionsBlacklist

      public void setExpressionsBlacklist​(java.util.List<java.lang.Class<? extends Expression>> disallowedExpressions)
      Legacy alias for setDisallowedExpressions(List)

    • getAllowedExpressions

      public java.util.List<java.lang.Class<? extends Expression>> getAllowedExpressions()

    • getExpressionsWhitelist

      public java.util.List<java.lang.Class<? extends Expression>> getExpressionsWhitelist()
      Legacy alias for getAllowedExpressions()

    • setAllowedExpressions

      public void setAllowedExpressions​(java.util.List<java.lang.Class<? extends Expression>> allowedExpressions)

    • setExpressionsWhitelist

      public void setExpressionsWhitelist​(java.util.List<java.lang.Class<? extends Expression>> allowedExpressions)
      Legacy alias for setAllowedExpressions(List)

    • getDisallowedStatements

      public java.util.List<java.lang.Class<? extends Statement>> getDisallowedStatements()

    • getStatementsBlacklist

      public java.util.List<java.lang.Class<? extends Statement>> getStatementsBlacklist()
      Legacy alias for getDisallowedStatements()

    • setDisallowedStatements

      public void setDisallowedStatements​(java.util.List<java.lang.Class<? extends Statement>> disallowedStatements)

    • setStatementsBlacklist

      public void setStatementsBlacklist​(java.util.List<java.lang.Class<? extends Statement>> disallowedStatements)
      Legacy alias for setDisallowedStatements(List)

    • getAllowedStatements

      public java.util.List<java.lang.Class<? extends Statement>> getAllowedStatements()

    • getStatementsWhitelist

      public java.util.List<java.lang.Class<? extends Statement>> getStatementsWhitelist()
      Legacy alias for getAllowedStatements()

    • setAllowedStatements

      public void setAllowedStatements​(java.util.List<java.lang.Class<? extends Statement>> allowedStatements)

    • setStatementsWhitelist

      public void setStatementsWhitelist​(java.util.List<java.lang.Class<? extends Statement>> allowedStatements)
      Legacy alias for setAllowedStatements(List)

    • isIndirectImportCheckEnabled

      public boolean isIndirectImportCheckEnabled()

    • setIndirectImportCheckEnabled

      public void setIndirectImportCheckEnabled​(boolean indirectImportCheckEnabled)
      Set this option to true if you want your import rules to be checked against every class node. This means that if someone uses a fully qualified class name, then it will also be checked against the import rules, preventing, for example, instantiation of classes without imports thanks to FQCN.
      Parameters:
      indirectImportCheckEnabled - set to true to enable indirect checks

    • getDisallowedTokens

      public java.util.List<java.lang.Integer> getDisallowedTokens()

    • getTokensBlacklist

      public java.util.List<java.lang.Integer> getTokensBlacklist()
      Legacy alias for getDisallowedTokens()

    • setDisallowedTokens

      public void setDisallowedTokens​(java.util.List<java.lang.Integer> disallowedTokens)
      Sets the list of tokens which are not permitted.
      Parameters:
      disallowedTokens - the tokens. The values of the tokens must be those of Types

    • setTokensBlacklist

      public void setTokensBlacklist​(java.util.List<java.lang.Integer> disallowedTokens)
      Alias for setDisallowedTokens(List).

    • getAllowedTokens

      public java.util.List<java.lang.Integer> getAllowedTokens()

    • getTokensWhitelist

      public java.util.List<java.lang.Integer> getTokensWhitelist()
      Legacy alias for getAllowedTokens()

    • setAllowedTokens

      public void setAllowedTokens​(java.util.List<java.lang.Integer> allowedTokens)
      Sets the list of tokens which are permitted.
      Parameters:
      allowedTokens - the tokens. The values of the tokens must be those of Types

    • setTokensWhitelist

      public void setTokensWhitelist​(java.util.List<java.lang.Integer> allowedTokens)
      Legacy alias for setAllowedTokens(List)

    • addStatementCheckers

      public void addStatementCheckers​(SecureASTCustomizer.StatementChecker... checkers)

    • addExpressionCheckers

      public void addExpressionCheckers​(SecureASTCustomizer.ExpressionChecker... checkers)

    • getDisallowedConstantTypes

      public java.util.List<java.lang.String> getDisallowedConstantTypes()

    • getConstantTypesBlackList

      public java.util.List<java.lang.String> getConstantTypesBlackList()
      Legacy alias for getDisallowedConstantTypes()

    • setConstantTypesBlackList

      public void setConstantTypesBlackList​(java.util.List<java.lang.String> constantTypesBlackList)

    • getAllowedConstantTypes

      public java.util.List<java.lang.String> getAllowedConstantTypes()

    • getConstantTypesWhiteList

      public java.util.List<java.lang.String> getConstantTypesWhiteList()
      Legacy alias for getAllowedStatements()

    • setAllowedConstantTypes

      public void setAllowedConstantTypes​(java.util.List<java.lang.String> allowedConstantTypes)

    • setConstantTypesWhiteList

      public void setConstantTypesWhiteList​(java.util.List<java.lang.String> allowedConstantTypes)
      Legacy alias for setAllowedConstantTypes(List)

    • setAllowedConstantTypesClasses

      public void setAllowedConstantTypesClasses​(java.util.List<java.lang.Class> allowedConstantTypes)
      An alternative way of setting constant types.
      Parameters:
      allowedConstantTypes - a list of classes.

    • setConstantTypesClassesWhiteList

      public void setConstantTypesClassesWhiteList​(java.util.List<java.lang.Class> allowedConstantTypes)
      Legacy alias for setAllowedConstantTypesClasses(List)

    • setDisallowedConstantTypesClasses

      public void setDisallowedConstantTypesClasses​(java.util.List<java.lang.Class> disallowedConstantTypes)
      An alternative way of setting constant types.
      Parameters:
      disallowedConstantTypes - a list of classes.

    • setConstantTypesClassesBlackList

      public void setConstantTypesClassesBlackList​(java.util.List<java.lang.Class> disallowedConstantTypes)
      Legacy alias for setDisallowedConstantTypesClasses(List)

    • getDisallowedReceivers

      public java.util.List<java.lang.String> getDisallowedReceivers()

    • getReceiversBlackList

      public java.util.List<java.lang.String> getReceiversBlackList()
      Legacy alias for getDisallowedReceivers()

    • setDisallowedReceivers

      public void setDisallowedReceivers​(java.util.List<java.lang.String> disallowedReceivers)
      Sets the list of classes which deny method calls. Please note that since Groovy is a dynamic language, and this class performs a static type check, it will be relatively simple to bypass any disallowed list unless the disallowed receivers list contains, at a minimum, Object, Script, GroovyShell, and Eval. Additionally, it is necessary to also have MethodPointerExpression in the disallowed expressions list for the disallowed receivers list to function as a security check.
      Parameters:
      disallowedReceivers - the list of refused classes, as fully qualified names

    • setReceiversBlackList

      public void setReceiversBlackList​(java.util.List<java.lang.String> disallowedReceivers)
      Legacy alias for setDisallowedReceivers(List)

    • setDisallowedReceiversClasses

      public void setDisallowedReceiversClasses​(java.util.List<java.lang.Class> disallowedReceivers)
      An alternative way of setting receiver classes.
      Parameters:
      disallowedReceivers - a list of classes.

    • setReceiversClassesBlackList

      public void setReceiversClassesBlackList​(java.util.List<java.lang.Class> disallowedReceivers)
      Legacy alias for setDisallowedReceiversClasses(List).

    • getAllowedReceivers

      public java.util.List<java.lang.String> getAllowedReceivers()

    • getReceiversWhiteList

      public java.util.List<java.lang.String> getReceiversWhiteList()
      Legacy alias for getAllowedReceivers()

    • setAllowedReceivers

      public void setAllowedReceivers​(java.util.List<java.lang.String> allowedReceivers)
      Sets the list of classes which may accept method calls.
      Parameters:
      allowedReceivers - the list of accepted classes, as fully qualified names

    • setReceiversWhiteList

      public void setReceiversWhiteList​(java.util.List<java.lang.String> allowedReceivers)
      Legacy alias for setAllowedReceivers(List)

    • setAllowedReceiversClasses

      public void setAllowedReceiversClasses​(java.util.List<java.lang.Class> allowedReceivers)
      An alternative way of setting receiver classes.
      Parameters:
      allowedReceivers - a list of classes.

    • setReceiversClassesWhiteList

      public void setReceiversClassesWhiteList​(java.util.List<java.lang.Class> allowedReceivers)
      Legacy alias for setAllowedReceiversClasses(List)

    • call

      public void call​(SourceUnit source, GeneratorContext context, ClassNode classNode) throws CompilationFailedException
      Throws:
      CompilationFailedException

    • createGroovyCodeVisitor

      protected GroovyCodeVisitor createGroovyCodeVisitor()

    • checkMethodDefinitionAllowed

      protected void checkMethodDefinitionAllowed​(ClassNode owner)

    • filterMethods

      protected static java.util.List<MethodNode> filterMethods​(ClassNode owner)

    • assertStarImportIsAllowed

      protected void assertStarImportIsAllowed​(java.lang.String packageName)

    • assertImportIsAllowed

      protected void assertImportIsAllowed​(java.lang.String className)

    • assertStaticImportIsAllowed

      protected void assertStaticImportIsAllowed​(java.lang.String member, java.lang.String className)