Merge pull request #16540 from ywelsch/fix/groovy-inflation
Add permission to access sun.reflect.MethodAccessorImpl from Groovy scripts
This commit is contained in:
Yannick Welsch
commit
848316ad0d
|
|
@ -49,6 +49,7 @@ grant {
|
||||||
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation";
|
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation";
|
||||||
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.vmplugin.v7.IndyInterface";
|
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.vmplugin.v7.IndyInterface";
|
||||||
permission org.elasticsearch.script.ClassPermission "sun.reflect.ConstructorAccessorImpl";
|
permission org.elasticsearch.script.ClassPermission "sun.reflect.ConstructorAccessorImpl";
|
||||||
|
permission org.elasticsearch.script.ClassPermission "sun.reflect.MethodAccessorImpl";
|
||||||
|
|
||||||
permission org.elasticsearch.script.ClassPermission "groovy.lang.Closure";
|
permission org.elasticsearch.script.ClassPermission "groovy.lang.Closure";
|
||||||
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.GeneratedClosure";
|
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.GeneratedClosure";
|
||||||
|
|
|
||||||
|
|
@ -90,6 +90,10 @@ public class GroovySecurityTests extends ESTestCase {
|
||||||
// Groovy closures
|
// Groovy closures
|
||||||
assertSuccess("[1, 2, 3, 4].findAll { it % 2 == 0 }");
|
assertSuccess("[1, 2, 3, 4].findAll { it % 2 == 0 }");
|
||||||
assertSuccess("def buckets=[ [2, 4, 6, 8], [10, 12, 16, 14], [18, 22, 20, 24] ]; buckets[-3..-1].every { it.every { i -> i % 2 == 0 } }");
|
assertSuccess("def buckets=[ [2, 4, 6, 8], [10, 12, 16, 14], [18, 22, 20, 24] ]; buckets[-3..-1].every { it.every { i -> i % 2 == 0 } }");
|
||||||
|
// Groovy uses reflection to invoke closures. These reflective calls are optimized by the JVM after "sun.reflect.inflationThreshold"
|
||||||
|
// invocations. After the inflation step, access to sun.reflect.MethodAccessorImpl is required from the security manager. This test,
|
||||||
|
// assuming a inflation threshold below 100 (15 is current value on Oracle JVMs), checks that the relevant permission is available.
|
||||||
|
assertSuccess("(1..100).collect{ it + 1 }");
|
||||||
|
|
||||||
// Fail cases:
|
// Fail cases:
|
||||||
assertFailure("pr = Runtime.getRuntime().exec(\"touch /tmp/gotcha\"); pr.waitFor()", MissingPropertyException.class);
|
assertFailure("pr = Runtime.getRuntime().exec(\"touch /tmp/gotcha\"); pr.waitFor()", MissingPropertyException.class);
|
||||||
|
|
|
||||||
|
|
@ -84,6 +84,7 @@ public class JavaScriptSecurityTests extends ESTestCase {
|
||||||
public void testOK() {
|
public void testOK() {
|
||||||
assertSuccess("1 + 2");
|
assertSuccess("1 + 2");
|
||||||
assertSuccess("Math.cos(Math.PI)");
|
assertSuccess("Math.cos(Math.PI)");
|
||||||
|
assertSuccess("Array.apply(null, Array(100)).map(function (_, i) {return i;}).map(function (i) {return i+1;})");
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Test some javascripts that should hit security exception */
|
/** Test some javascripts that should hit security exception */
|
||||||
|
|
|
||||||
|
|
@ -82,6 +82,7 @@ public class PythonSecurityTests extends ESTestCase {
|
||||||
public void testOK() {
|
public void testOK() {
|
||||||
assertSuccess("1 + 2");
|
assertSuccess("1 + 2");
|
||||||
assertSuccess("from java.lang import Math\nMath.cos(0)");
|
assertSuccess("from java.lang import Math\nMath.cos(0)");
|
||||||
|
assertSuccess("map(lambda x: x + 1, range(100))");
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Test some py scripts that should hit security exception */
|
/** Test some py scripts that should hit security exception */
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue