1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
|
11 |
|
|
12 |
|
|
13 |
|
|
14 |
|
|
15 |
|
|
16 |
|
|
17 |
|
|
18 |
|
|
19 |
|
|
20 |
|
package org.xwiki.groovy.internal; |
21 |
|
|
22 |
|
import java.util.Arrays; |
23 |
|
import java.util.Collections; |
24 |
|
|
25 |
|
import javax.inject.Inject; |
26 |
|
import javax.inject.Named; |
27 |
|
import javax.inject.Singleton; |
28 |
|
|
29 |
|
import org.codehaus.groovy.ast.expr.Expression; |
30 |
|
import org.codehaus.groovy.ast.stmt.SynchronizedStatement; |
31 |
|
import org.codehaus.groovy.classgen.BytecodeExpression; |
32 |
|
import org.codehaus.groovy.classgen.BytecodeSequence; |
33 |
|
import org.codehaus.groovy.control.customizers.CompilationCustomizer; |
34 |
|
import org.codehaus.groovy.control.customizers.SecureASTCustomizer; |
35 |
|
import org.xwiki.component.annotation.Component; |
36 |
|
import org.xwiki.groovy.GroovyCompilationCustomizer; |
37 |
|
import org.xwiki.security.authorization.ContextualAuthorizationManager; |
38 |
|
import org.xwiki.security.authorization.Right; |
39 |
|
|
40 |
|
|
41 |
|
|
42 |
|
|
43 |
|
@version |
44 |
|
@since |
45 |
|
|
46 |
|
@Component |
47 |
|
@Named("secure") |
48 |
|
@Singleton |
|
|
| 100% |
Uncovered Elements: 0 (19) |
Complexity: 2 |
Complexity Density: 0.12 |
|
49 |
|
public class SecureGroovyCompilationCustomizer implements GroovyCompilationCustomizer |
50 |
|
{ |
51 |
|
|
52 |
|
|
53 |
|
|
54 |
|
@Inject |
55 |
|
private ContextualAuthorizationManager authorizationManager; |
56 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (18) |
Complexity: 2 |
Complexity Density: 0.12 |
|
57 |
4 |
@Override... |
58 |
|
public CompilationCustomizer createCustomizer() |
59 |
|
{ |
60 |
4 |
CompilationCustomizer customizer = null; |
61 |
4 |
if (!this.authorizationManager.hasAccess(Right.PROGRAM)) { |
62 |
2 |
SecureASTCustomizer secureCustomizer = new SecureASTCustomizer(); |
63 |
|
|
64 |
2 |
secureCustomizer.setStarImportsWhitelist(Collections.<String>emptyList()); |
65 |
2 |
secureCustomizer.setStaticStarImportsWhitelist(Collections.<String>emptyList()); |
66 |
2 |
secureCustomizer.setImportsWhitelist(Collections.<String>emptyList()); |
67 |
2 |
secureCustomizer.setStaticStarImportsWhitelist(Collections.<String>emptyList()); |
68 |
2 |
secureCustomizer.setMethodDefinitionAllowed(false); |
69 |
2 |
secureCustomizer.setReceiversClassesWhiteList(Collections.<Class>emptyList()); |
70 |
2 |
secureCustomizer.setReceiversWhiteList(Collections.<String>emptyList()); |
71 |
2 |
secureCustomizer.setTokensWhitelist(Collections.<Integer>emptyList()); |
72 |
2 |
secureCustomizer.setPackageAllowed(false); |
73 |
|
|
74 |
|
|
75 |
|
|
76 |
|
|
77 |
|
|
78 |
|
|
79 |
|
|
80 |
2 |
secureCustomizer.setExpressionsBlacklist(Arrays.<Class<? extends Expression>>asList( |
81 |
|
BytecodeExpression.class |
82 |
|
)); |
83 |
|
|
84 |
|
|
85 |
2 |
secureCustomizer.setStatementsBlacklist(Arrays.asList( |
86 |
|
BytecodeSequence.class, |
87 |
|
SynchronizedStatement.class |
88 |
|
)); |
89 |
|
|
90 |
2 |
customizer = secureCustomizer; |
91 |
|
} |
92 |
4 |
return customizer; |
93 |
|
} |
94 |
|
} |