From 4dc060527cd7d35817085a3926e65d071e3b1321 Mon Sep 17 00:00:00 2001 From: Lee Hinman Date: Wed, 13 Aug 2014 10:39:42 +0200 Subject: [PATCH] Add GroovyCollections to the sandbox whitelist Also clarify in the docs that changing the whitelist/blacklist settings replace the list, they don't add to it. Fixes #7089 Fixes #7088 --- docs/reference/modules/scripting.asciidoc | 3 +++ .../script/groovy/GroovySandboxExpressionChecker.java | 1 + .../org/elasticsearch/script/GroovySandboxScriptTests.java | 2 ++ 3 files changed, 6 insertions(+) diff --git a/docs/reference/modules/scripting.asciidoc b/docs/reference/modules/scripting.asciidoc index 2533a402c9f..38a668cef1f 100644 --- a/docs/reference/modules/scripting.asciidoc +++ b/docs/reference/modules/scripting.asciidoc @@ -233,6 +233,9 @@ that can be used for configuring this sandbox: Flag to disable the sandbox (defaults to `true` meaning the sandbox is enabled). +When specifying whitelist or blacklist settings for the groovy sandbox, all +options replace the current whitelist, they are not additive. + [float] === Automatic Script Reloading diff --git a/src/main/java/org/elasticsearch/script/groovy/GroovySandboxExpressionChecker.java b/src/main/java/org/elasticsearch/script/groovy/GroovySandboxExpressionChecker.java index e76dae1802e..61bbb492cbe 100644 --- a/src/main/java/org/elasticsearch/script/groovy/GroovySandboxExpressionChecker.java +++ b/src/main/java/org/elasticsearch/script/groovy/GroovySandboxExpressionChecker.java @@ -88,6 +88,7 @@ public class GroovySandboxExpressionChecker implements SecureASTCustomizer.Expre // Default whitelisted receiver classes for the Groovy sandbox private final static String[] defaultReceiverWhitelist = new String [] { + groovy.util.GroovyCollections.class.getName(), java.lang.Math.class.getName(), java.lang.Integer.class.getName(), "[I", "[[I", "[[[I", java.lang.Float.class.getName(), "[F", "[[F", "[[[F", diff --git a/src/test/java/org/elasticsearch/script/GroovySandboxScriptTests.java b/src/test/java/org/elasticsearch/script/GroovySandboxScriptTests.java index 68a90420a8b..a5ab247fd85 100644 --- a/src/test/java/org/elasticsearch/script/GroovySandboxScriptTests.java +++ b/src/test/java/org/elasticsearch/script/GroovySandboxScriptTests.java @@ -47,6 +47,8 @@ public class GroovySandboxScriptTests extends ElasticsearchIntegrationTest { testSuccess("def v = doc['foo'].value; def m = [:]; m.put(\\\"value\\\", v)"); // Times testSuccess("def t = Instant.now().getMillis()"); + // GroovyCollections + testSuccess("def n = [1,2,3]; GroovyCollections.max(n)"); // Fail cases testFailure("pr = Runtime.getRuntime().exec(\\\"touch /tmp/gotcha\\\"); pr.waitFor()",