1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.groovy.internal

File SecureGroovyCompilationCustomizer.java

 

Coverage histogram

../../../../img/srcFileCovDistChart10.png
0% of files have more coverage

Code metrics

2
16
1
1
94
50
2
0.12
16
1
2

Classes

Class Line # Actions
SecureGroovyCompilationCustomizer 49 16 0% 2 0
1.0100%
 

Contributing tests

This file is covered by 4 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.groovy.internal;
21   
22    import java.util.Arrays;
23    import java.util.Collections;
24   
25    import javax.inject.Inject;
26    import javax.inject.Named;
27    import javax.inject.Singleton;
28   
29    import org.codehaus.groovy.ast.expr.Expression;
30    import org.codehaus.groovy.ast.stmt.SynchronizedStatement;
31    import org.codehaus.groovy.classgen.BytecodeExpression;
32    import org.codehaus.groovy.classgen.BytecodeSequence;
33    import org.codehaus.groovy.control.customizers.CompilationCustomizer;
34    import org.codehaus.groovy.control.customizers.SecureASTCustomizer;
35    import org.xwiki.component.annotation.Component;
36    import org.xwiki.groovy.GroovyCompilationCustomizer;
37    import org.xwiki.security.authorization.ContextualAuthorizationManager;
38    import org.xwiki.security.authorization.Right;
39   
40    /**
41    * Provides a sandbox environment for running Groovy scripts in a safe way.
42    *
43    * @version $Id: 5a2401dba1c2fbcddaf167a8dda4e363d8ed06f5 $
44    * @since 4.1M1
45    */
46    @Component
47    @Named("secure")
48    @Singleton
 
49    public class SecureGroovyCompilationCustomizer implements GroovyCompilationCustomizer
50    {
51    /**
52    * Used to check for Programming Rights; if the document has Programming Rights then don't perform any check.
53    */
54    @Inject
55    private ContextualAuthorizationManager authorizationManager;
56   
 
57  4 toggle @Override
58    public CompilationCustomizer createCustomizer()
59    {
60  4 CompilationCustomizer customizer = null;
61  4 if (!this.authorizationManager.hasAccess(Right.PROGRAM)) {
62  2 SecureASTCustomizer secureCustomizer = new SecureASTCustomizer();
63   
64  2 secureCustomizer.setStarImportsWhitelist(Collections.<String>emptyList());
65  2 secureCustomizer.setStaticStarImportsWhitelist(Collections.<String>emptyList());
66  2 secureCustomizer.setImportsWhitelist(Collections.<String>emptyList());
67  2 secureCustomizer.setStaticStarImportsWhitelist(Collections.<String>emptyList());
68  2 secureCustomizer.setMethodDefinitionAllowed(false);
69  2 secureCustomizer.setReceiversClassesWhiteList(Collections.<Class>emptyList());
70  2 secureCustomizer.setReceiversWhiteList(Collections.<String>emptyList());
71  2 secureCustomizer.setTokensWhitelist(Collections.<Integer>emptyList());
72  2 secureCustomizer.setPackageAllowed(false);
73   
74    // Note: no whitelist on Constants because that's not dangerous
75    // TODO: Check if it's really not dangerous!
76    //secureCustomizer.setConstantTypesClassesWhiteList(Collections.<Class>emptyList());
77    //secureCustomizer.setConstantTypesWhiteList(Collections.<String>emptyList());
78   
79    // Only remove the dangerous Expressions
80  2 secureCustomizer.setExpressionsBlacklist(Arrays.<Class<? extends Expression>>asList(
81    BytecodeExpression.class
82    ));
83   
84    // Only remove the dangerous Statements
85  2 secureCustomizer.setStatementsBlacklist(Arrays.asList(
86    BytecodeSequence.class,
87    SynchronizedStatement.class
88    ));
89   
90  2 customizer = secureCustomizer;
91    }
92  4 return customizer;
93    }
94    }