public class SecureASTCustomizer extends CompilationCustomizer
This customizer allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. For example, if you only want to allow arithmetic operations in a groovy shell, you can configure this customizer to restrict package imports, method calls and so on.
Most of the security customization options found in this class work with either allowed or disallowed lists. This means that, for a single option, you can set an allowed list OR a disallowed list, but not both. You can mix allowed/disallowed strategies for different options. For example, you can have an allowed import list and a disallowed tokens list.
The recommended way of securing shells is to use allowed lists because it is guaranteed that future features of the Groovy language won't be accidentally allowed unless explicitly added to the allowed list. Using disallowed lists, you can limit the features of the language constructs supported by your shell by opting out, but new language features are then implicitly also available and this may not be desirable. The implication is that you might need to update your configuration with each new release.
If neither an allowed list nor a disallowed list is set, then everything is permitted.
Combinations of import and star import constraints are authorized as long as you use the same type of list for both. For example, you may use an import allowed list and a star import allowed list together, but you cannot use an import allowed list with a star import disallowed list. Static imports are handled separately, meaning that disallowing an import does not prevent from allowing a static import.
Eventually, if the features provided here are not sufficient, you may implement custom AST filtering handlers, either implementing the StatementChecker interface or ExpressionChecker interface then register your handlers thanks to the addExpressionCheckers(ExpressionChecker...) and addStatementCheckers(StatementChecker...) methods.
Here is an example of usage. We will create a groovy classloader which only supports arithmetic operations and imports
the java.lang.Math
classes by default.
final ImportCustomizer imports = new ImportCustomizer().addStaticStars('java.lang.Math') // add static import of java.lang.Math final SecureASTCustomizer secure = new SecureASTCustomizer() secure.with { closuresAllowed = false methodDefinitionAllowed = false allowedImports = [] allowedStaticImports = [] allowedStaticStarImports = ['java.lang.Math'] // only java.lang.Math is allowed allowedTokens = [ PLUS, MINUS, MULTIPLY, DIVIDE, REMAINDER, POWER, PLUS_PLUS, MINUS_MINUS, COMPARE_EQUAL, COMPARE_NOT_EQUAL, COMPARE_LESS_THAN, COMPARE_LESS_THAN_EQUAL, COMPARE_GREATER_THAN, COMPARE_GREATER_THAN_EQUAL, ].asImmutable() allowedConstantTypesClasses = [ Integer, Float, Long, Double, BigDecimal, Integer.TYPE, Long.TYPE, Float.TYPE, Double.TYPE ].asImmutable() allowedReceiversClasses = [ Math, Integer, Float, Double, Long, BigDecimal ].asImmutable() } CompilerConfiguration config = new CompilerConfiguration() config.addCompilationCustomizers(imports, secure) GroovyClassLoader loader = new GroovyClassLoader(this.class.classLoader, config)
Note: SecureASTCustomizer
allows you to lock down the grammar of scripts but by itself isn't intended
to be the complete solution of all security issues when running scripts on the JVM. You might also want to
consider setting the groovy.grape.enable
System property to false, augmenting use of the customizer
with additional techniques, and following standard security principles for JVM applications.
For more information, please read:
Modifiers | Name | Description |
---|---|---|
interface |
SecureASTCustomizer.ExpressionChecker |
This interface allows the user to provide a custom expression checker if the dis/allowed expression lists are not sufficient |
protected class |
SecureASTCustomizer.SecuringCodeVisitor |
This visitor directly implements the GroovyCodeVisitor interface instead of using the CodeVisitorSupport class to make sure that future features of the language gets managed by this visitor. |
interface |
SecureASTCustomizer.StatementChecker |
This interface allows the user to provide a custom statement checker if the dis/allowed statement lists are not sufficient |
Constructor and description |
---|
SecureASTCustomizer() |
Methods inherited from class | Name |
---|---|
class CompilationCustomizer |
getPhase |
Legacy alias for getDisallowedConstantTypes()
Legacy alias for getAllowedStatements()
Legacy alias for getDisallowedExpressions()
Legacy alias for getAllowedExpressions()
Legacy alias for getDisallowedImports()
Legacy alias for getAllowedImports()
Legacy alias for getDisallowedReceivers()
Legacy alias for getAllowedReceivers()
Legacy alias for getDisallowedStarImports()
Legacy alias for getAllowedStarImports()
Legacy alias for getDisallowedStatements()
Legacy alias for getAllowedStatements()
Legacy alias for getDisallowedStaticImports()
Legacy alias for getAllowedStaticImports()
Legacy alias for getDisallowedStaticStarImports()
Legacy alias for getAllowedStaticStarImports()
Legacy alias for getDisallowedTokens()
Legacy alias for getAllowedTokens()
An alternative way of setting constant types.
allowedConstantTypes
- a list of classes.Sets the list of classes which may accept method calls.
allowedReceivers
- the list of accepted classes, as fully qualified namesAn alternative way of setting receiver classes.
allowedReceivers
- a list of classes.Sets the list of tokens which are permitted.
allowedTokens
- the tokens. The values of the tokens must be those of TypesLegacy alias for setDisallowedConstantTypesClasses(List)
Legacy alias for setAllowedConstantTypesClasses(List)
Legacy alias for setAllowedConstantTypes(List)
An alternative way of setting constant types.
disallowedConstantTypes
- a list of classes.Sets the list of classes which deny method calls. Please note that since Groovy is a dynamic language, and this class performs a static type check, it will be relatively simple to bypass any disallowed list unless the disallowed receivers list contains, at a minimum, Object, Script, GroovyShell, and Eval. Additionally, it is necessary to also have MethodPointerExpression in the disallowed expressions list for the disallowed receivers list to function as a security check.
disallowedReceivers
- the list of refused classes, as fully qualified namesAn alternative way of setting receiver classes.
disallowedReceivers
- a list of classes.Sets the list of tokens which are not permitted.
disallowedTokens
- the tokens. The values of the tokens must be those of TypesLegacy alias for setDisallowedExpressions(List)
Legacy alias for setAllowedExpressions(List)
Legacy alias for setDisallowedImports(List)
Legacy alias for setAllowedImports(List)
Set this option to true if you want your import rules to be checked against every class node. This means that if someone uses a fully qualified class name, then it will also be checked against the import rules, preventing, for example, instantiation of classes without imports thanks to FQCN.
indirectImportCheckEnabled
- set to true to enable indirect checksLegacy alias for setDisallowedReceivers(List)
Legacy alias for setDisallowedReceiversClasses(List).
Legacy alias for setAllowedReceiversClasses(List)
Legacy alias for setAllowedReceivers(List)
Legacy alias for setDisallowedStarImports(List)
Legacy alias for setAllowedStarImports(List)
Legacy alias for setDisallowedStatements(List)
Legacy alias for setAllowedStatements(List)
Legacy alias for setDisallowedStaticImports(List)
Legacy alias for setAllowedStaticImports(List)
Legacy alias for setDisallowedStaticStarImports(List)
Legacy alias for setAllowedStaticStarImports(List)
Legacy alias for setDisallowedTokens(List).
Legacy alias for setAllowedTokens(List)
Copyright © 2003-2024 The Apache Software Foundation. All rights reserved.