honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Disallow method pointer expressions in Groovy scripting

This commit is contained in:
Lee Hinman 2015-01-30 08:42:02 -07:00
parent 9fe84062a1
commit 9557625ae7
2 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/main/java/org/elasticsearch/script/groovy/GroovySandboxExpressionChecker.java
View File

@ -21,10 +21,7 @@ package org.elasticsearch.script.groovy;
import com.google.common.collect.ImmutableSet; import com.google.common.collect.ImmutableSet;
import org.codehaus.groovy.ast.ClassNode; import org.codehaus.groovy.ast.ClassNode;
import org.codehaus.groovy.ast.expr.ConstructorCallExpression; import org.codehaus.groovy.ast.expr.*;
import org.codehaus.groovy.ast.expr.Expression;
import org.codehaus.groovy.ast.expr.GStringExpression;
import org.codehaus.groovy.ast.expr.MethodCallExpression;
import org.codehaus.groovy.control.customizers.SecureASTCustomizer; import org.codehaus.groovy.control.customizers.SecureASTCustomizer;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
@ -68,6 +65,7 @@ public class GroovySandboxExpressionChecker implements SecureASTCustomizer.Expre
"wait", "wait",
"notify", "notify",
"notifyAll", "notifyAll",
"invokeMethod",
"finalize" "finalize"
}; };
@ -120,7 +118,9 @@ public class GroovySandboxExpressionChecker implements SecureASTCustomizer.Expre
*/ */
@Override @Override
public boolean isAuthorized(Expression expression) { public boolean isAuthorized(Expression expression) {
if (expression instanceof MethodCallExpression) { if (expression instanceof MethodPointerExpression) {
return false;
} else if (expression instanceof MethodCallExpression) {
MethodCallExpression mce = (MethodCallExpression) expression; MethodCallExpression mce = (MethodCallExpression) expression;
String methodName = mce.getMethodAsString(); String methodName = mce.getMethodAsString();
if (methodBlacklist.contains(methodName)) { if (methodBlacklist.contains(methodName)) {

6
src/test/java/org/elasticsearch/script/GroovySandboxScriptTests.java
View File

@ -92,6 +92,12 @@ public class GroovySandboxScriptTests extends ElasticsearchIntegrationTest {
testFailure("def methodName = 'ex'; Runtime.\\\"${'get' + 'Runtime'}\\\"().\\\"${methodName}ec\\\"(\\\"touch /tmp/gotcha2\\\")", testFailure("def methodName = 'ex'; Runtime.\\\"${'get' + 'Runtime'}\\\"().\\\"${methodName}ec\\\"(\\\"touch /tmp/gotcha2\\\")",
"Expression [MethodCallExpression] is not allowed: java.lang.Runtime.$(get + Runtime)().$methodNameec(touch /tmp/gotcha2)"); "Expression [MethodCallExpression] is not allowed: java.lang.Runtime.$(get + Runtime)().$methodNameec(touch /tmp/gotcha2)");
testFailure("def c = [doc['foo'].value, 3, 4].&size; c()",
"Expression [MethodPointerExpression] is not allowed");
testFailure("[doc['foo'].value, 3, 4].invokeMethod([1,2],\\\"size\\\", new Object[0])",
"Expression [MethodCallExpression] is not allowed: [doc[foo].value, 3, 4].invokeMethod([1, 2], size, [])");
} }
@Test @Test