public class SecureASTCustomizer
extends CompilationCustomizer
This customizer allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. For example, if you only want to allow arithmetic operations in a groovy shell, you can configure this customizer to restrict package imports, method calls and so on.
Most of the security customization options found in this class work with either allowed or disallowed lists. This means that, for a single option, you can set an allowed list OR a disallowed list, but not both. You can mix allowed/disallowed strategies for different options. For example, you can have an allowed import list and a disallowed tokens list.
The recommended way of securing shells is to use allowed lists because it is guaranteed that future features of the Groovy language won't be accidentally allowed unless explicitly added to the allowed list. Using disallowed lists, you can limit the features of the language constructs supported by your shell by opting out, but new language features are then implicitly also available and this may not be desirable. The implication is that you might need to update your configuration with each new release.
If neither an allowed list nor a disallowed list is set, then everything is permitted.
Combinations of import and star import constraints are authorized as long as you use the same type of list for both. For example, you may use an import allowed list and a star import allowed list together, but you cannot use an import allowed list with a star import disallowed list. Static imports are handled separately, meaning that disallowing an import does not prevent from allowing a static import.
Eventually, if the features provided here are not sufficient, you may implement custom AST filtering handlers, either implementing the StatementChecker interface or ExpressionChecker interface then register your handlers thanks to the addExpressionCheckers(ExpressionChecker...) and addStatementCheckers(StatementChecker...) methods.
Here is an example of usage. We will create a groovy classloader which only supports arithmetic operations and imports
the java.lang.Math classes by default.
final ImportCustomizer imports = new ImportCustomizer().addStaticStars('java.lang.Math') // add static import of java.lang.Math
final SecureASTCustomizer secure = new SecureASTCustomizer()
secure.with {
closuresAllowed = false
methodDefinitionAllowed = false
allowedImports = []
allowedStaticImports = []
allowedStaticStarImports = ['java.lang.Math'] // only java.lang.Math is allowed
allowedTokens = [
PLUS,
MINUS,
MULTIPLY,
DIVIDE,
REMAINDER,
POWER,
PLUS_PLUS,
MINUS_MINUS,
COMPARE_EQUAL,
COMPARE_NOT_EQUAL,
COMPARE_LESS_THAN,
COMPARE_LESS_THAN_EQUAL,
COMPARE_GREATER_THAN,
COMPARE_GREATER_THAN_EQUAL,
].asImmutable()
allowedConstantTypesClasses = [
Integer,
Float,
Long,
Double,
BigDecimal,
Integer.TYPE,
Long.TYPE,
Float.TYPE,
Double.TYPE
].asImmutable()
allowedReceiversClasses = [
Math,
Integer,
Float,
Double,
Long,
BigDecimal
].asImmutable()
}
CompilerConfiguration config = new CompilerConfiguration()
config.addCompilationCustomizers(imports, secure)
GroovyClassLoader loader = new GroovyClassLoader(this.class.classLoader, config)
Note: SecureASTCustomizer allows you to lock down the grammar of scripts but by itself isn't intended
to be the complete solution of all security issues when running scripts on the JVM. You might also want to
consider setting the groovy.grape.enable System property to false, augmenting use of the customizer
with additional techniques, and following standard security principles for JVM applications.
Accordingly, the Apache Groovy threat model
treats this customizer as a hardening aid rather than a security boundary (see its "security properties the
project does NOT provide" section): a report that merely demonstrates a bypass is by design, not a vulnerability.
For more information, please read:
| Modifiers | Name | Description |
|---|---|---|
interface |
SecureASTCustomizer.ExpressionChecker |
This interface allows the user to provide a custom expression checker if the dis/allowed expression lists are not sufficient |
protected class |
SecureASTCustomizer.SecuringCodeVisitor |
This visitor directly implements the GroovyCodeVisitor interface instead of using the CodeVisitorSupport class to make sure that future features of the language gets managed by this visitor. |
interface |
SecureASTCustomizer.StatementChecker |
This interface allows the user to provide a custom statement checker if the dis/allowed statement lists are not sufficient |
| Constructor and description |
|---|
SecureASTCustomizer()Creates a secure AST customizer that runs during canonicalization. |
| Type Params | Return Type | Name and description |
|---|---|---|
|
public void |
addExpressionCheckers(SecureASTCustomizer.ExpressionChecker checkers)Adds expression checkers consulted in addition to the allow/disallow lists. |
|
public void |
addStatementCheckers(SecureASTCustomizer.StatementChecker checkers)Adds statement checkers consulted in addition to the allow/disallow lists. |
|
protected void |
assertImportIsAllowed(String className)Verifies that a regular import is allowed by the current configuration. |
|
protected void |
assertStarImportIsAllowed(String packageName)Verifies that a star import is allowed by the current configuration. |
|
protected void |
assertStaticImportIsAllowed(String member, String className)Verifies that a static import is allowed by the current configuration. |
|
public void |
call(SourceUnit source, GeneratorContext context, ClassNode classNode)Verifies the configured security rules against the current source unit and class. |
|
protected void |
checkMethodDefinitionAllowed(ClassNode owner)Ensures the supplied class does not declare methods when such definitions are forbidden. |
|
protected GroovyCodeVisitor |
createGroovyCodeVisitor()Creates the visitor that enforces statement and expression restrictions. |
|
protected static List<MethodNode> |
filterMethods(ClassNode owner)Returns the non-synthetic methods declared directly by the supplied class. |
|
public List<String> |
getAllowedConstantTypes()Returns the list of allowed constant or variable types. |
|
public List<Class<? extends Expression>> |
getAllowedExpressions()Returns the list of allowed expression node types. |
|
public List<String> |
getAllowedImports()Returns the list of explicitly allowed imports. |
|
public List<String> |
getAllowedReceivers()Returns the list of receiver types on which calls are allowed. |
|
public List<String> |
getAllowedStarImports()Returns the list of allowed star imports. |
|
public List<Class<? extends Statement>> |
getAllowedStatements()Returns the list of allowed statement node types. |
|
public List<String> |
getAllowedStaticImports()Returns the list of allowed static imports. |
|
public List<String> |
getAllowedStaticStarImports()Returns the list of allowed static star imports. |
|
public List<Integer> |
getAllowedTokens()Returns the list of allowed token types. |
|
public List<String> |
getConstantTypesBlackList()Legacy alias for getDisallowedConstantTypes() |
|
public List<String> |
getConstantTypesWhiteList()Legacy alias for getAllowedStatements() |
|
public List<String> |
getDisallowedConstantTypes()Returns the list of disallowed constant or variable types. |
|
public List<Class<? extends Expression>> |
getDisallowedExpressions()Returns the list of disallowed expression node types. |
|
public List<String> |
getDisallowedImports()Returns the list of explicitly disallowed imports. |
|
public List<String> |
getDisallowedReceivers()Returns the list of receiver types on which calls are disallowed. |
|
public List<String> |
getDisallowedStarImports()Returns the list of disallowed star imports. |
|
public List<Class<? extends Statement>> |
getDisallowedStatements()Returns the list of disallowed statement node types. |
|
public List<String> |
getDisallowedStaticImports()Returns the list of disallowed static imports. |
|
public List<String> |
getDisallowedStaticStarImports()Returns the list of disallowed static star imports. |
|
public List<Integer> |
getDisallowedTokens()Returns the list of disallowed token types. |
|
public List<Class<? extends Expression>> |
getExpressionsBlacklist()Legacy alias for getDisallowedExpressions() |
|
public List<Class<? extends Expression>> |
getExpressionsWhitelist()Legacy alias for getAllowedExpressions() |
|
public List<String> |
getImportsBlacklist()Legacy alias for getDisallowedImports() |
|
public List<String> |
getImportsWhitelist()Legacy alias for getAllowedImports() |
|
public List<String> |
getReceiversBlackList()Legacy alias for getDisallowedReceivers() |
|
public List<String> |
getReceiversWhiteList()Legacy alias for getAllowedReceivers() |
|
public List<String> |
getStarImportsBlacklist()Legacy alias for getDisallowedStarImports() |
|
public List<String> |
getStarImportsWhitelist()Legacy alias for getAllowedStarImports() |
|
public List<Class<? extends Statement>> |
getStatementsBlacklist()Legacy alias for getDisallowedStatements() |
|
public List<Class<? extends Statement>> |
getStatementsWhitelist()Legacy alias for getAllowedStatements() |
|
public List<String> |
getStaticImportsBlacklist()Legacy alias for getDisallowedStaticImports() |
|
public List<String> |
getStaticImportsWhitelist()Legacy alias for getAllowedStaticImports() |
|
public List<String> |
getStaticStarImportsBlacklist()Legacy alias for getDisallowedStaticStarImports() |
|
public List<String> |
getStaticStarImportsWhitelist()Legacy alias for getAllowedStaticStarImports() |
|
public List<Integer> |
getTokensBlacklist()Legacy alias for getDisallowedTokens() |
|
public List<Integer> |
getTokensWhitelist()Legacy alias for getAllowedTokens() |
|
public boolean |
isClosuresAllowed()Indicates whether closures are allowed. |
|
public boolean |
isIndirectImportCheckEnabled()Indicates whether indirect import checks are enabled. |
|
public boolean |
isMethodDefinitionAllowed()Indicates whether explicit method definitions are allowed. |
|
public boolean |
isPackageAllowed()Indicates whether package declarations are allowed. |
|
public void |
setAllowedConstantTypes(List<String> allowedConstantTypes)Sets the list of allowed constant or variable types. |
|
public void |
setAllowedConstantTypesClasses(List<Class> allowedConstantTypes)An alternative way of setting constant types. |
|
public void |
setAllowedExpressions(List<Class<? extends Expression>> allowedExpressions)Sets the list of allowed expression node types. |
|
public void |
setAllowedImports(List<String> allowedImports)Sets the list of explicitly allowed imports. |
|
public void |
setAllowedReceivers(List<String> allowedReceivers)Sets the list of classes which may accept method calls. |
|
public void |
setAllowedReceiversClasses(List<Class> allowedReceivers)An alternative way of setting receiver classes. |
|
public void |
setAllowedStarImports(List<String> allowedStarImports)Sets the list of allowed star imports. |
|
public void |
setAllowedStatements(List<Class<? extends Statement>> allowedStatements)Sets the list of allowed statement node types. |
|
public void |
setAllowedStaticImports(List<String> allowedStaticImports)Sets the list of allowed static imports. |
|
public void |
setAllowedStaticStarImports(List<String> allowedStaticStarImports)Sets the list of allowed static star imports. |
|
public void |
setAllowedTokens(List<Integer> allowedTokens)Sets the list of tokens which are permitted. |
|
public void |
setClosuresAllowed(boolean closuresAllowed)Sets whether closures are allowed. |
|
public void |
setConstantTypesBlackList(List<String> constantTypesBlackList)Sets the list of disallowed constant or variable types. |
|
public void |
setConstantTypesClassesBlackList(List<Class> disallowedConstantTypes)Legacy alias for setDisallowedConstantTypesClasses(List) |
|
public void |
setConstantTypesClassesWhiteList(List<Class> allowedConstantTypes)Legacy alias for setAllowedConstantTypesClasses(List) |
|
public void |
setConstantTypesWhiteList(List<String> allowedConstantTypes)Legacy alias for setAllowedConstantTypes(List) |
|
public void |
setDisallowedConstantTypesClasses(List<Class> disallowedConstantTypes)An alternative way of setting constant types. |
|
public void |
setDisallowedExpressions(List<Class<? extends Expression>> disallowedExpressions)Sets the list of disallowed expression node types. |
|
public void |
setDisallowedImports(List<String> disallowedImports)Sets the list of explicitly disallowed imports. |
|
public void |
setDisallowedReceivers(List<String> disallowedReceivers)Sets the list of classes which deny method calls. |
|
public void |
setDisallowedReceiversClasses(List<Class> disallowedReceivers)An alternative way of setting receiver classes. |
|
public void |
setDisallowedStarImports(List<String> disallowedStarImports)Sets the list of disallowed star imports. |
|
public void |
setDisallowedStatements(List<Class<? extends Statement>> disallowedStatements)Sets the list of disallowed statement node types. |
|
public void |
setDisallowedStaticImports(List<String> disallowedStaticImports)Sets the list of disallowed static imports. |
|
public void |
setDisallowedStaticStarImports(List<String> disallowedStaticStarImports)Sets the list of disallowed static star imports. |
|
public void |
setDisallowedTokens(List<Integer> disallowedTokens)Sets the list of tokens which are not permitted. |
|
public void |
setExpressionsBlacklist(List<Class<? extends Expression>> disallowedExpressions)Legacy alias for setDisallowedExpressions(List) |
|
public void |
setExpressionsWhitelist(List<Class<? extends Expression>> allowedExpressions)Legacy alias for setAllowedExpressions(List) |
|
public void |
setImportsBlacklist(List<String> disallowedImports)Legacy alias for setDisallowedImports(List) |
|
public void |
setImportsWhitelist(List<String> allowedImports)Legacy alias for setAllowedImports(List) |
|
public void |
setIndirectImportCheckEnabled(boolean indirectImportCheckEnabled)Set this option to true if you want your import rules to be checked against every class node. |
|
public void |
setMethodDefinitionAllowed(boolean methodDefinitionAllowed)Sets whether explicit method definitions are allowed. |
|
public void |
setPackageAllowed(boolean packageAllowed)Sets whether package declarations are allowed. |
|
public void |
setReceiversBlackList(List<String> disallowedReceivers)Legacy alias for setDisallowedReceivers(List) |
|
public void |
setReceiversClassesBlackList(List<Class> disallowedReceivers)Legacy alias for setDisallowedReceiversClasses(List). |
|
public void |
setReceiversClassesWhiteList(List<Class> allowedReceivers)Legacy alias for setAllowedReceiversClasses(List) |
|
public void |
setReceiversWhiteList(List<String> allowedReceivers)Legacy alias for setAllowedReceivers(List) |
|
public void |
setStarImportsBlacklist(List<String> disallowedStarImports)Legacy alias for setDisallowedStarImports(List) |
|
public void |
setStarImportsWhitelist(List<String> allowedStarImports)Legacy alias for setAllowedStarImports(List) |
|
public void |
setStatementsBlacklist(List<Class<? extends Statement>> disallowedStatements)Legacy alias for setDisallowedStatements(List) |
|
public void |
setStatementsWhitelist(List<Class<? extends Statement>> allowedStatements)Legacy alias for setAllowedStatements(List) |
|
public void |
setStaticImportsBlacklist(List<String> disallowedStaticImports)Legacy alias for setDisallowedStaticImports(List) |
|
public void |
setStaticImportsWhitelist(List<String> allowedStaticImports)Legacy alias for setAllowedStaticImports(List) |
|
public void |
setStaticStarImportsBlacklist(List<String> disallowedStaticStarImports)Legacy alias for setDisallowedStaticStarImports(List) |
|
public void |
setStaticStarImportsWhitelist(List<String> allowedStaticStarImports)Legacy alias for setAllowedStaticStarImports(List) |
|
public void |
setTokensBlacklist(List<Integer> disallowedTokens)Legacy alias for setDisallowedTokens(List). |
|
public void |
setTokensWhitelist(List<Integer> allowedTokens)Legacy alias for setAllowedTokens(List) |
| Methods inherited from class | Name |
|---|---|
class CompilationCustomizer |
getPhase |
Creates a secure AST customizer that runs during canonicalization.
Adds expression checkers consulted in addition to the allow/disallow lists.
checkers - the expression checkers to addAdds statement checkers consulted in addition to the allow/disallow lists.
checkers - the statement checkers to addVerifies that a regular import is allowed by the current configuration.
className - the imported class nameVerifies that a star import is allowed by the current configuration.
packageName - the star import to checkVerifies that a static import is allowed by the current configuration.
member - the imported member nameclassName - the declaring class nameVerifies the configured security rules against the current source unit and class.
source - the source unit being customizedcontext - the current generator contextclassNode - the class node being customizedEnsures the supplied class does not declare methods when such definitions are forbidden.
owner - the class to inspectCreates the visitor that enforces statement and expression restrictions.
Returns the non-synthetic methods declared directly by the supplied class.
owner - the class to inspectReturns the list of allowed constant or variable types.
nullReturns the list of allowed expression node types.
nullReturns the list of explicitly allowed imports.
nullReturns the list of receiver types on which calls are allowed.
nullReturns the list of allowed star imports.
nullReturns the list of allowed statement node types.
nullReturns the list of allowed static imports.
nullReturns the list of allowed static star imports.
nullReturns the list of allowed token types.
nullLegacy alias for getDisallowedConstantTypes()
Legacy alias for getAllowedStatements()
Returns the list of disallowed constant or variable types.
nullReturns the list of disallowed expression node types.
nullReturns the list of explicitly disallowed imports.
nullReturns the list of receiver types on which calls are disallowed.
nullReturns the list of disallowed star imports.
nullReturns the list of disallowed statement node types.
nullReturns the list of disallowed static imports.
nullReturns the list of disallowed static star imports.
nullReturns the list of disallowed token types.
nullLegacy alias for getDisallowedExpressions()
Legacy alias for getAllowedExpressions()
Legacy alias for getDisallowedImports()
Legacy alias for getAllowedImports()
Legacy alias for getDisallowedReceivers()
Legacy alias for getAllowedReceivers()
Legacy alias for getDisallowedStarImports()
Legacy alias for getAllowedStarImports()
Legacy alias for getDisallowedStatements()
Legacy alias for getAllowedStatements()
Legacy alias for getDisallowedStaticImports()
Legacy alias for getAllowedStaticImports()
Legacy alias for getDisallowedStaticStarImports()
Legacy alias for getAllowedStaticStarImports()
Legacy alias for getDisallowedTokens()
Legacy alias for getAllowedTokens()
Indicates whether closures are allowed.
true if closures are allowedIndicates whether indirect import checks are enabled.
true if indirect import checks are enabledIndicates whether explicit method definitions are allowed.
true if method definitions are allowedIndicates whether package declarations are allowed.
true if package declarations are allowedSets the list of allowed constant or variable types.
allowedConstantTypes - the type names to allowAn alternative way of setting constant types.
allowedConstantTypes - a list of classes.Sets the list of allowed expression node types.
allowedExpressions - the expression types to allowSets the list of explicitly allowed imports.
allowedImports - the imports to allowSets the list of classes which may accept method calls.
allowedReceivers - the list of accepted classes, as fully qualified namesAn alternative way of setting receiver classes.
allowedReceivers - a list of classes.Sets the list of allowed star imports.
allowedStarImports - the star imports to allowSets the list of allowed statement node types.
allowedStatements - the statement types to allowSets the list of allowed static imports.
allowedStaticImports - the static imports to allowSets the list of allowed static star imports.
allowedStaticStarImports - the static star imports to allowSets the list of tokens which are permitted.
allowedTokens - the tokens. The values of the tokens must be those of TypesSets whether closures are allowed.
closuresAllowed - true to allow closuresSets the list of disallowed constant or variable types.
constantTypesBlackList - the type names to rejectLegacy alias for setDisallowedConstantTypesClasses(List)
Legacy alias for setAllowedConstantTypesClasses(List)
Legacy alias for setAllowedConstantTypes(List)
An alternative way of setting constant types.
disallowedConstantTypes - a list of classes.Sets the list of disallowed expression node types.
disallowedExpressions - the expression types to rejectSets the list of explicitly disallowed imports.
disallowedImports - the imports to rejectSets the list of classes which deny method calls. Please note that since Groovy is a dynamic language, and this class performs a static type check, it will be relatively simple to bypass any disallowed list unless the disallowed receivers list contains, at a minimum, Object, Script, GroovyShell, and Eval. Additionally, it is necessary to also have MethodPointerExpression in the disallowed expressions list for the disallowed receivers list to function as a security check.
disallowedReceivers - the list of refused classes, as fully qualified namesAn alternative way of setting receiver classes.
disallowedReceivers - a list of classes.Sets the list of disallowed star imports.
disallowedStarImports - the star imports to rejectSets the list of disallowed statement node types.
disallowedStatements - the statement types to rejectSets the list of disallowed static imports.
disallowedStaticImports - the static imports to rejectSets the list of disallowed static star imports.
disallowedStaticStarImports - the static star imports to rejectSets the list of tokens which are not permitted.
disallowedTokens - the tokens. The values of the tokens must be those of TypesLegacy alias for setDisallowedExpressions(List)
Legacy alias for setAllowedExpressions(List)
Legacy alias for setDisallowedImports(List)
Legacy alias for setAllowedImports(List)
Set this option to true if you want your import rules to be checked against every class node. This means that if someone uses a fully qualified class name, then it will also be checked against the import rules, preventing, for example, instantiation of classes without imports thanks to FQCN.
indirectImportCheckEnabled - set to true to enable indirect checksSets whether explicit method definitions are allowed.
methodDefinitionAllowed - true to allow method definitionsSets whether package declarations are allowed.
packageAllowed - true to allow package declarationsLegacy alias for setDisallowedReceivers(List)
Legacy alias for setDisallowedReceiversClasses(List).
Legacy alias for setAllowedReceiversClasses(List)
Legacy alias for setAllowedReceivers(List)
Legacy alias for setDisallowedStarImports(List)
Legacy alias for setAllowedStarImports(List)
Legacy alias for setDisallowedStatements(List)
Legacy alias for setAllowedStatements(List)
Legacy alias for setDisallowedStaticImports(List)
Legacy alias for setAllowedStaticImports(List)
Legacy alias for setDisallowedStaticStarImports(List)
Legacy alias for setAllowedStaticStarImports(List)
Legacy alias for setDisallowedTokens(List).
Legacy alias for setAllowedTokens(List)
Copyright © 2003-2026 The Apache Software Foundation. All rights reserved.