Class SecureASTCustomizer
- All Implemented Interfaces:
CompilationUnit.IPrimaryClassNodeOperation
Most of the security customization options found in this class work with either allowed or disallowed lists. This means that, for a single option, you can set an allowed list OR a disallowed list, but not both. You can mix allowed/disallowed strategies for different options. For example, you can have an allowed import list and a disallowed tokens list.
The recommended way of securing shells is to use allowed lists because it is guaranteed that future features of the Groovy language won't be accidentally allowed unless explicitly added to the allowed list. Using disallowed lists, you can limit the features of the language constructs supported by your shell by opting out, but new language features are then implicitly also available and this may not be desirable. The implication is that you might need to update your configuration with each new release.
If neither an allowed list nor a disallowed list is set, then everything is permitted.
Combinations of import and star import constraints are authorized as long as you use the same type of list for both. For example, you may use an import allowed list and a star import allowed list together, but you cannot use an import allowed list with a star import disallowed list. Static imports are handled separately, meaning that disallowing an import does not prevent from allowing a static import.
Eventually, if the features provided here are not sufficient, you may implement custom AST filtering handlers, either
implementing the SecureASTCustomizer.StatementChecker interface or SecureASTCustomizer.ExpressionChecker interface then register your
handlers thanks to the addExpressionCheckers(ExpressionChecker...)
and addStatementCheckers(StatementChecker...)
methods.
Here is an example of usage. We will create a groovy classloader which only supports arithmetic operations and imports
the java.lang.Math classes by default.
final ImportCustomizer imports = new ImportCustomizer().addStaticStars('java.lang.Math') // add static import of java.lang.Math
final SecureASTCustomizer secure = new SecureASTCustomizer()
secure.with {
closuresAllowed = false
methodDefinitionAllowed = false
allowedImports = []
allowedStaticImports = []
allowedStaticStarImports = ['java.lang.Math'] // only java.lang.Math is allowed
allowedTokens = [
PLUS,
MINUS,
MULTIPLY,
DIVIDE,
REMAINDER,
POWER,
PLUS_PLUS,
MINUS_MINUS,
COMPARE_EQUAL,
COMPARE_NOT_EQUAL,
COMPARE_LESS_THAN,
COMPARE_LESS_THAN_EQUAL,
COMPARE_GREATER_THAN,
COMPARE_GREATER_THAN_EQUAL,
].asImmutable()
allowedConstantTypesClasses = [
Integer,
Float,
Long,
Double,
BigDecimal,
Integer.TYPE,
Long.TYPE,
Float.TYPE,
Double.TYPE
].asImmutable()
allowedReceiversClasses = [
Math,
Integer,
Float,
Double,
Long,
BigDecimal
].asImmutable()
}
CompilerConfiguration config = new CompilerConfiguration()
config.addCompilationCustomizers(imports, secure)
GroovyClassLoader loader = new GroovyClassLoader(this.class.classLoader, config)
Note: SecureASTCustomizer allows you to lock down the grammar of scripts but by itself isn't intended
to be the complete solution of all security issues when running scripts on the JVM. You might also want to
consider setting the groovy.grape.enable System property to false, augmenting use of the customizer
with additional techniques, and following standard security principles for JVM applications.
Accordingly, the Apache Groovy threat model
treats this customizer as a hardening aid rather than a security boundary (see its "security properties the
project does NOT provide" section): a report that merely demonstrates a bypass is by design, not a vulnerability.
For more information, please read:
- Since:
- 1.8.0
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic interfaceThis interface allows the user to provide a custom expression checker if the dis/allowed expression lists are not sufficientprotected classThis visitor directly implements theGroovyCodeVisitorinterface instead of using theCodeVisitorSupportclass to make sure that future features of the language gets managed by this visitor.static interfaceThis interface allows the user to provide a custom statement checker if the dis/allowed statement lists are not sufficient -
Constructor Summary
ConstructorsConstructorDescriptionCreates a secure AST customizer that runs during canonicalization. -
Method Summary
Modifier and TypeMethodDescriptionvoidAdds expression checkers consulted in addition to the allow/disallow lists.voidaddStatementCheckers(SecureASTCustomizer.StatementChecker... checkers) Adds statement checkers consulted in addition to the allow/disallow lists.protected voidassertImportIsAllowed(String className) Verifies that a regular import is allowed by the current configuration.protected voidassertStarImportIsAllowed(String packageName) Verifies that a star import is allowed by the current configuration.protected voidassertStaticImportIsAllowed(String member, String className) Verifies that a static import is allowed by the current configuration.voidcall(SourceUnit source, GeneratorContext context, ClassNode classNode) Verifies the configured security rules against the current source unit and class.protected voidEnsures the supplied class does not declare methods when such definitions are forbidden.protected GroovyCodeVisitorCreates the visitor that enforces statement and expression restrictions.protected static List<MethodNode>filterMethods(ClassNode owner) Returns the non-synthetic methods declared directly by the supplied class.Returns the list of allowed constant or variable types.List<Class<? extends Expression>>Returns the list of allowed expression node types.Returns the list of explicitly allowed imports.Returns the list of receiver types on which calls are allowed.Returns the list of allowed star imports.Returns the list of allowed statement node types.Returns the list of allowed static imports.Returns the list of allowed static star imports.Returns the list of allowed token types.Deprecated.Deprecated.Returns the list of disallowed constant or variable types.List<Class<? extends Expression>>Returns the list of disallowed expression node types.Returns the list of explicitly disallowed imports.Returns the list of receiver types on which calls are disallowed.Returns the list of disallowed star imports.Returns the list of disallowed statement node types.Returns the list of disallowed static imports.Returns the list of disallowed static star imports.Returns the list of disallowed token types.List<Class<? extends Expression>>Deprecated.List<Class<? extends Expression>>Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.Deprecated.booleanIndicates whether closures are allowed.booleanIndicates whether indirect import checks are enabled.booleanIndicates whether explicit method definitions are allowed.booleanIndicates whether package declarations are allowed.voidsetAllowedConstantTypes(List<String> allowedConstantTypes) Sets the list of allowed constant or variable types.voidsetAllowedConstantTypesClasses(List<Class> allowedConstantTypes) An alternative way of setting constant types.voidsetAllowedExpressions(List<Class<? extends Expression>> allowedExpressions) Sets the list of allowed expression node types.voidsetAllowedImports(List<String> allowedImports) Sets the list of explicitly allowed imports.voidsetAllowedReceivers(List<String> allowedReceivers) Sets the list of classes which may accept method calls.voidsetAllowedReceiversClasses(List<Class> allowedReceivers) An alternative way of settingreceiver classes.voidsetAllowedStarImports(List<String> allowedStarImports) Sets the list of allowed star imports.voidsetAllowedStatements(List<Class<? extends Statement>> allowedStatements) Sets the list of allowed statement node types.voidsetAllowedStaticImports(List<String> allowedStaticImports) Sets the list of allowed static imports.voidsetAllowedStaticStarImports(List<String> allowedStaticStarImports) Sets the list of allowed static star imports.voidsetAllowedTokens(List<Integer> allowedTokens) Sets the list of tokens which are permitted.voidsetClosuresAllowed(boolean closuresAllowed) Sets whether closures are allowed.voidsetConstantTypesBlackList(List<String> constantTypesBlackList) Sets the list of disallowed constant or variable types.voidsetConstantTypesClassesBlackList(List<Class> disallowedConstantTypes) Deprecated.voidsetConstantTypesClassesWhiteList(List<Class> allowedConstantTypes) Deprecated.voidsetConstantTypesWhiteList(List<String> allowedConstantTypes) Deprecated.voidsetDisallowedConstantTypesClasses(List<Class> disallowedConstantTypes) An alternative way of setting constant types.voidsetDisallowedExpressions(List<Class<? extends Expression>> disallowedExpressions) Sets the list of disallowed expression node types.voidsetDisallowedImports(List<String> disallowedImports) Sets the list of explicitly disallowed imports.voidsetDisallowedReceivers(List<String> disallowedReceivers) Sets the list of classes which deny method calls.voidsetDisallowedReceiversClasses(List<Class> disallowedReceivers) An alternative way of settingreceiver classes.voidsetDisallowedStarImports(List<String> disallowedStarImports) Sets the list of disallowed star imports.voidsetDisallowedStatements(List<Class<? extends Statement>> disallowedStatements) Sets the list of disallowed statement node types.voidsetDisallowedStaticImports(List<String> disallowedStaticImports) Sets the list of disallowed static imports.voidsetDisallowedStaticStarImports(List<String> disallowedStaticStarImports) Sets the list of disallowed static star imports.voidsetDisallowedTokens(List<Integer> disallowedTokens) Sets the list of tokens which are not permitted.voidsetExpressionsBlacklist(List<Class<? extends Expression>> disallowedExpressions) Deprecated.voidsetExpressionsWhitelist(List<Class<? extends Expression>> allowedExpressions) Deprecated.voidsetImportsBlacklist(List<String> disallowedImports) Deprecated.voidsetImportsWhitelist(List<String> allowedImports) Deprecated.voidsetIndirectImportCheckEnabled(boolean indirectImportCheckEnabled) Set this option to true if you want your import rules to be checked against every class node.voidsetMethodDefinitionAllowed(boolean methodDefinitionAllowed) Sets whether explicit method definitions are allowed.voidsetPackageAllowed(boolean packageAllowed) Sets whether package declarations are allowed.voidsetReceiversBlackList(List<String> disallowedReceivers) Deprecated.voidsetReceiversClassesBlackList(List<Class> disallowedReceivers) Deprecated.voidsetReceiversClassesWhiteList(List<Class> allowedReceivers) Deprecated.voidsetReceiversWhiteList(List<String> allowedReceivers) Deprecated.voidsetStarImportsBlacklist(List<String> disallowedStarImports) Deprecated.voidsetStarImportsWhitelist(List<String> allowedStarImports) Deprecated.voidsetStatementsBlacklist(List<Class<? extends Statement>> disallowedStatements) Deprecated.voidsetStatementsWhitelist(List<Class<? extends Statement>> allowedStatements) Deprecated.voidsetStaticImportsBlacklist(List<String> disallowedStaticImports) Deprecated.voidsetStaticImportsWhitelist(List<String> allowedStaticImports) Deprecated.voidsetStaticStarImportsBlacklist(List<String> disallowedStaticStarImports) Deprecated.voidsetStaticStarImportsWhitelist(List<String> allowedStaticStarImports) Deprecated.voidsetTokensBlacklist(List<Integer> disallowedTokens) Deprecated.voidsetTokensWhitelist(List<Integer> allowedTokens) Deprecated.Methods inherited from class org.codehaus.groovy.control.customizers.CompilationCustomizer
getPhaseMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.codehaus.groovy.control.CompilationUnit.IPrimaryClassNodeOperation
doPhaseOperation, needSortedInput
-
Constructor Details
-
SecureASTCustomizer
public SecureASTCustomizer()Creates a secure AST customizer that runs during canonicalization.
-
-
Method Details
-
isMethodDefinitionAllowed
public boolean isMethodDefinitionAllowed()Indicates whether explicit method definitions are allowed.- Returns:
trueif method definitions are allowed
-
setMethodDefinitionAllowed
public void setMethodDefinitionAllowed(boolean methodDefinitionAllowed) Sets whether explicit method definitions are allowed.- Parameters:
methodDefinitionAllowed-trueto allow method definitions
-
isPackageAllowed
public boolean isPackageAllowed()Indicates whether package declarations are allowed.- Returns:
trueif package declarations are allowed
-
isClosuresAllowed
public boolean isClosuresAllowed()Indicates whether closures are allowed.- Returns:
trueif closures are allowed
-
setClosuresAllowed
public void setClosuresAllowed(boolean closuresAllowed) Sets whether closures are allowed.- Parameters:
closuresAllowed-trueto allow closures
-
setPackageAllowed
public void setPackageAllowed(boolean packageAllowed) Sets whether package declarations are allowed.- Parameters:
packageAllowed-trueto allow package declarations
-
getDisallowedImports
Returns the list of explicitly disallowed imports.- Returns:
- the disallowed imports, or
null
-
getImportsBlacklist
Deprecated.Legacy alias forgetDisallowedImports() -
setDisallowedImports
Sets the list of explicitly disallowed imports.- Parameters:
disallowedImports- the imports to reject
-
setImportsBlacklist
Deprecated.Legacy alias forsetDisallowedImports(List) -
getAllowedImports
Returns the list of explicitly allowed imports.- Returns:
- the allowed imports, or
null
-
getImportsWhitelist
Deprecated.Legacy alias forgetAllowedImports() -
setAllowedImports
Sets the list of explicitly allowed imports.- Parameters:
allowedImports- the imports to allow
-
setImportsWhitelist
Deprecated.Legacy alias forsetAllowedImports(List) -
getDisallowedStarImports
Returns the list of disallowed star imports.- Returns:
- the disallowed star imports, or
null
-
getStarImportsBlacklist
Deprecated.Legacy alias forgetDisallowedStarImports() -
setDisallowedStarImports
Sets the list of disallowed star imports.- Parameters:
disallowedStarImports- the star imports to reject
-
setStarImportsBlacklist
Deprecated.Legacy alias forsetDisallowedStarImports(List) -
getAllowedStarImports
Returns the list of allowed star imports.- Returns:
- the allowed star imports, or
null
-
getStarImportsWhitelist
Deprecated.Legacy alias forgetAllowedStarImports() -
setAllowedStarImports
Sets the list of allowed star imports.- Parameters:
allowedStarImports- the star imports to allow
-
setStarImportsWhitelist
Deprecated.Legacy alias forsetAllowedStarImports(List) -
getDisallowedStaticImports
Returns the list of disallowed static imports.- Returns:
- the disallowed static imports, or
null
-
getStaticImportsBlacklist
Deprecated.Legacy alias forgetDisallowedStaticImports() -
setDisallowedStaticImports
Sets the list of disallowed static imports.- Parameters:
disallowedStaticImports- the static imports to reject
-
setStaticImportsBlacklist
Deprecated.Legacy alias forsetDisallowedStaticImports(List) -
getAllowedStaticImports
Returns the list of allowed static imports.- Returns:
- the allowed static imports, or
null
-
getStaticImportsWhitelist
Deprecated.Legacy alias forgetAllowedStaticImports() -
setAllowedStaticImports
Sets the list of allowed static imports.- Parameters:
allowedStaticImports- the static imports to allow
-
setStaticImportsWhitelist
Deprecated.Legacy alias forsetAllowedStaticImports(List) -
getDisallowedStaticStarImports
Returns the list of disallowed static star imports.- Returns:
- the disallowed static star imports, or
null
-
getStaticStarImportsBlacklist
Deprecated.Legacy alias forgetDisallowedStaticStarImports() -
setDisallowedStaticStarImports
Sets the list of disallowed static star imports.- Parameters:
disallowedStaticStarImports- the static star imports to reject
-
setStaticStarImportsBlacklist
Deprecated.Legacy alias forsetDisallowedStaticStarImports(List) -
getAllowedStaticStarImports
Returns the list of allowed static star imports.- Returns:
- the allowed static star imports, or
null
-
getStaticStarImportsWhitelist
Deprecated.Legacy alias forgetAllowedStaticStarImports() -
setAllowedStaticStarImports
Sets the list of allowed static star imports.- Parameters:
allowedStaticStarImports- the static star imports to allow
-
setStaticStarImportsWhitelist
Deprecated.Legacy alias forsetAllowedStaticStarImports(List) -
getDisallowedExpressions
Returns the list of disallowed expression node types.- Returns:
- the disallowed expression types, or
null
-
getExpressionsBlacklist
Deprecated.Legacy alias forgetDisallowedExpressions() -
setDisallowedExpressions
Sets the list of disallowed expression node types.- Parameters:
disallowedExpressions- the expression types to reject
-
setExpressionsBlacklist
@Deprecated public void setExpressionsBlacklist(List<Class<? extends Expression>> disallowedExpressions) Deprecated.Legacy alias forsetDisallowedExpressions(List) -
getAllowedExpressions
Returns the list of allowed expression node types.- Returns:
- the allowed expression types, or
null
-
getExpressionsWhitelist
Deprecated.Legacy alias forgetAllowedExpressions() -
setAllowedExpressions
Sets the list of allowed expression node types.- Parameters:
allowedExpressions- the expression types to allow
-
setExpressionsWhitelist
@Deprecated public void setExpressionsWhitelist(List<Class<? extends Expression>> allowedExpressions) Deprecated.Legacy alias forsetAllowedExpressions(List) -
getDisallowedStatements
Returns the list of disallowed statement node types.- Returns:
- the disallowed statement types, or
null
-
getStatementsBlacklist
Deprecated.Legacy alias forgetDisallowedStatements() -
setDisallowedStatements
Sets the list of disallowed statement node types.- Parameters:
disallowedStatements- the statement types to reject
-
setStatementsBlacklist
@Deprecated public void setStatementsBlacklist(List<Class<? extends Statement>> disallowedStatements) Deprecated.Legacy alias forsetDisallowedStatements(List) -
getAllowedStatements
Returns the list of allowed statement node types.- Returns:
- the allowed statement types, or
null
-
getStatementsWhitelist
Deprecated.Legacy alias forgetAllowedStatements() -
setAllowedStatements
Sets the list of allowed statement node types.- Parameters:
allowedStatements- the statement types to allow
-
setStatementsWhitelist
Deprecated.Legacy alias forsetAllowedStatements(List) -
isIndirectImportCheckEnabled
public boolean isIndirectImportCheckEnabled()Indicates whether indirect import checks are enabled.- Returns:
trueif indirect import checks are enabled
-
setIndirectImportCheckEnabled
public void setIndirectImportCheckEnabled(boolean indirectImportCheckEnabled) Set this option to true if you want your import rules to be checked against every class node. This means that if someone uses a fully qualified class name, then it will also be checked against the import rules, preventing, for example, instantiation of classes without imports thanks to FQCN.- Parameters:
indirectImportCheckEnabled- set to true to enable indirect checks
-
getDisallowedTokens
Returns the list of disallowed token types.- Returns:
- the disallowed token types, or
null
-
getTokensBlacklist
Deprecated.Legacy alias forgetDisallowedTokens() -
setDisallowedTokens
Sets the list of tokens which are not permitted.- Parameters:
disallowedTokens- the tokens. The values of the tokens must be those ofTypes
-
setTokensBlacklist
Deprecated.Legacy alias forsetDisallowedTokens(List). -
getAllowedTokens
Returns the list of allowed token types.- Returns:
- the allowed token types, or
null
-
getTokensWhitelist
Deprecated.Legacy alias forgetAllowedTokens() -
setAllowedTokens
Sets the list of tokens which are permitted.- Parameters:
allowedTokens- the tokens. The values of the tokens must be those ofTypes
-
setTokensWhitelist
Deprecated.Legacy alias forsetAllowedTokens(List) -
addStatementCheckers
Adds statement checkers consulted in addition to the allow/disallow lists.- Parameters:
checkers- the statement checkers to add
-
addExpressionCheckers
Adds expression checkers consulted in addition to the allow/disallow lists.- Parameters:
checkers- the expression checkers to add
-
getDisallowedConstantTypes
Returns the list of disallowed constant or variable types.- Returns:
- the disallowed constant types, or
null
-
getConstantTypesBlackList
Deprecated.Legacy alias forgetDisallowedConstantTypes() -
setConstantTypesBlackList
Sets the list of disallowed constant or variable types.- Parameters:
constantTypesBlackList- the type names to reject
-
getAllowedConstantTypes
Returns the list of allowed constant or variable types.- Returns:
- the allowed constant types, or
null
-
getConstantTypesWhiteList
Deprecated.Legacy alias forgetAllowedStatements() -
setAllowedConstantTypes
Sets the list of allowed constant or variable types.- Parameters:
allowedConstantTypes- the type names to allow
-
setConstantTypesWhiteList
Deprecated.Legacy alias forsetAllowedConstantTypes(List) -
setAllowedConstantTypesClasses
An alternative way of setting constant types.- Parameters:
allowedConstantTypes- a list of classes.
-
setConstantTypesClassesWhiteList
Deprecated.Legacy alias forsetAllowedConstantTypesClasses(List) -
setDisallowedConstantTypesClasses
An alternative way of setting constant types.- Parameters:
disallowedConstantTypes- a list of classes.
-
setConstantTypesClassesBlackList
Deprecated.Legacy alias forsetDisallowedConstantTypesClasses(List) -
getDisallowedReceivers
Returns the list of receiver types on which calls are disallowed.- Returns:
- the disallowed receiver types, or
null
-
getReceiversBlackList
Deprecated.Legacy alias forgetDisallowedReceivers() -
setDisallowedReceivers
Sets the list of classes which deny method calls. Please note that since Groovy is a dynamic language, and this class performs a static type check, it will be relatively simple to bypass any disallowed list unless the disallowed receivers list contains, at a minimum, Object, Script, GroovyShell, and Eval. Additionally, it is necessary to also have MethodPointerExpression in the disallowed expressions list for the disallowed receivers list to function as a security check.- Parameters:
disallowedReceivers- the list of refused classes, as fully qualified names
-
setReceiversBlackList
Deprecated.Legacy alias forsetDisallowedReceivers(List) -
setDisallowedReceiversClasses
An alternative way of settingreceiver classes.- Parameters:
disallowedReceivers- a list of classes.
-
setReceiversClassesBlackList
Deprecated.Legacy alias forsetDisallowedReceiversClasses(List). -
getAllowedReceivers
Returns the list of receiver types on which calls are allowed.- Returns:
- the allowed receiver types, or
null
-
getReceiversWhiteList
Deprecated.Legacy alias forgetAllowedReceivers() -
setAllowedReceivers
Sets the list of classes which may accept method calls.- Parameters:
allowedReceivers- the list of accepted classes, as fully qualified names
-
setReceiversWhiteList
Deprecated.Legacy alias forsetAllowedReceivers(List) -
setAllowedReceiversClasses
An alternative way of settingreceiver classes.- Parameters:
allowedReceivers- a list of classes.
-
setReceiversClassesWhiteList
Deprecated.Legacy alias forsetAllowedReceiversClasses(List) -
call
public void call(SourceUnit source, GeneratorContext context, ClassNode classNode) throws CompilationFailedException Verifies the configured security rules against the current source unit and class.- Parameters:
source- the source unit being customizedcontext- the current generator contextclassNode- the class node being customized- Throws:
CompilationFailedException- if verification fails
-
createGroovyCodeVisitor
Creates the visitor that enforces statement and expression restrictions.- Returns:
- the security-checking visitor
-
checkMethodDefinitionAllowed
Ensures the supplied class does not declare methods when such definitions are forbidden.- Parameters:
owner- the class to inspect
-
filterMethods
Returns the non-synthetic methods declared directly by the supplied class.- Parameters:
owner- the class to inspect- Returns:
- the directly declared, non-synthetic methods
-
assertStarImportIsAllowed
Verifies that a star import is allowed by the current configuration.- Parameters:
packageName- the star import to check
-
assertImportIsAllowed
Verifies that a regular import is allowed by the current configuration.- Parameters:
className- the imported class name
-
assertStaticImportIsAllowed
Verifies that a static import is allowed by the current configuration.- Parameters:
member- the imported member nameclassName- the declaring class name
-