Add GroovyCollections to the sandbox whitelist

Also clarify in the docs that changing the whitelist/blacklist settings
replace the list, they don't add to it.

Fixes #7089
Fixes #7088
This commit is contained in:
Lee Hinman 2014-08-13 10:39:42 +02:00
parent 089658a36f
commit 4dc060527c
3 changed files with 6 additions and 0 deletions

View File

@ -233,6 +233,9 @@ that can be used for configuring this sandbox:
Flag to disable the sandbox (defaults to `true` meaning the sandbox is Flag to disable the sandbox (defaults to `true` meaning the sandbox is
enabled). enabled).
When specifying whitelist or blacklist settings for the groovy sandbox, all
options replace the current whitelist, they are not additive.
[float] [float]
=== Automatic Script Reloading === Automatic Script Reloading

View File

@ -88,6 +88,7 @@ public class GroovySandboxExpressionChecker implements SecureASTCustomizer.Expre
// Default whitelisted receiver classes for the Groovy sandbox // Default whitelisted receiver classes for the Groovy sandbox
private final static String[] defaultReceiverWhitelist = new String [] { private final static String[] defaultReceiverWhitelist = new String [] {
groovy.util.GroovyCollections.class.getName(),
java.lang.Math.class.getName(), java.lang.Math.class.getName(),
java.lang.Integer.class.getName(), "[I", "[[I", "[[[I", java.lang.Integer.class.getName(), "[I", "[[I", "[[[I",
java.lang.Float.class.getName(), "[F", "[[F", "[[[F", java.lang.Float.class.getName(), "[F", "[[F", "[[[F",

View File

@ -47,6 +47,8 @@ public class GroovySandboxScriptTests extends ElasticsearchIntegrationTest {
testSuccess("def v = doc['foo'].value; def m = [:]; m.put(\\\"value\\\", v)"); testSuccess("def v = doc['foo'].value; def m = [:]; m.put(\\\"value\\\", v)");
// Times // Times
testSuccess("def t = Instant.now().getMillis()"); testSuccess("def t = Instant.now().getMillis()");
// GroovyCollections
testSuccess("def n = [1,2,3]; GroovyCollections.max(n)");
// Fail cases // Fail cases
testFailure("pr = Runtime.getRuntime().exec(\\\"touch /tmp/gotcha\\\"); pr.waitFor()", testFailure("pr = Runtime.getRuntime().exec(\\\"touch /tmp/gotcha\\\"); pr.waitFor()",