Add GroovyCollections to the sandbox whitelist
Also clarify in the docs that changing the whitelist/blacklist settings replace the list, they don't add to it. Fixes #7089 Fixes #7088
This commit is contained in:
parent
089658a36f
commit
4dc060527c
|
@ -233,6 +233,9 @@ that can be used for configuring this sandbox:
|
||||||
Flag to disable the sandbox (defaults to `true` meaning the sandbox is
|
Flag to disable the sandbox (defaults to `true` meaning the sandbox is
|
||||||
enabled).
|
enabled).
|
||||||
|
|
||||||
|
When specifying whitelist or blacklist settings for the groovy sandbox, all
|
||||||
|
options replace the current whitelist, they are not additive.
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
=== Automatic Script Reloading
|
=== Automatic Script Reloading
|
||||||
|
|
||||||
|
|
|
@ -88,6 +88,7 @@ public class GroovySandboxExpressionChecker implements SecureASTCustomizer.Expre
|
||||||
|
|
||||||
// Default whitelisted receiver classes for the Groovy sandbox
|
// Default whitelisted receiver classes for the Groovy sandbox
|
||||||
private final static String[] defaultReceiverWhitelist = new String [] {
|
private final static String[] defaultReceiverWhitelist = new String [] {
|
||||||
|
groovy.util.GroovyCollections.class.getName(),
|
||||||
java.lang.Math.class.getName(),
|
java.lang.Math.class.getName(),
|
||||||
java.lang.Integer.class.getName(), "[I", "[[I", "[[[I",
|
java.lang.Integer.class.getName(), "[I", "[[I", "[[[I",
|
||||||
java.lang.Float.class.getName(), "[F", "[[F", "[[[F",
|
java.lang.Float.class.getName(), "[F", "[[F", "[[[F",
|
||||||
|
|
|
@ -47,6 +47,8 @@ public class GroovySandboxScriptTests extends ElasticsearchIntegrationTest {
|
||||||
testSuccess("def v = doc['foo'].value; def m = [:]; m.put(\\\"value\\\", v)");
|
testSuccess("def v = doc['foo'].value; def m = [:]; m.put(\\\"value\\\", v)");
|
||||||
// Times
|
// Times
|
||||||
testSuccess("def t = Instant.now().getMillis()");
|
testSuccess("def t = Instant.now().getMillis()");
|
||||||
|
// GroovyCollections
|
||||||
|
testSuccess("def n = [1,2,3]; GroovyCollections.max(n)");
|
||||||
|
|
||||||
// Fail cases
|
// Fail cases
|
||||||
testFailure("pr = Runtime.getRuntime().exec(\\\"touch /tmp/gotcha\\\"); pr.waitFor()",
|
testFailure("pr = Runtime.getRuntime().exec(\\\"touch /tmp/gotcha\\\"); pr.waitFor()",
|
||||||
|
|
Loading…
Reference in New Issue