Security permissions for Groovy closures

This commit adds some permissions that Groovy needs to use closures. Closes #16196
2016-01-22 20:55:38 -05:00 · 2016-01-22 20:55:38 -05:00 · bdddea2dd0
parent 426becea44
commit bdddea2dd0
2 changed files with 9 additions and 0 deletions
--- a/modules/lang-groovy/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/lang-groovy/src/main/plugin-metadata/plugin-security.policy
@ -25,6 +25,7 @@ grant {
  // needed by groovy engine
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
+  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  // needed by GroovyScriptEngineService to close its classloader (why?)
  permission java.lang.RuntimePermission "closeClassLoader";
  // Allow executing groovy scripts with codesource of /untrusted
@ -48,4 +49,9 @@ grant {
  permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation";
  permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.vmplugin.v7.IndyInterface";
  permission org.elasticsearch.script.ClassPermission "sun.reflect.ConstructorAccessorImpl";
+
+  permission org.elasticsearch.script.ClassPermission "groovy.lang.Closure";
+  permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.GeneratedClosure";
+  permission org.elasticsearch.script.ClassPermission "groovy.lang.MetaClass";
+  permission org.elasticsearch.script.ClassPermission "groovy.lang.Range";
 };
--- a/modules/lang-groovy/src/test/java/org/elasticsearch/script/groovy/GroovySecurityTests.java
+++ b/modules/lang-groovy/src/test/java/org/elasticsearch/script/groovy/GroovySecurityTests.java
@ -87,6 +87,9 @@ public class GroovySecurityTests extends ESTestCase {
        assertSuccess("def t = Instant.now().getMillis()");
        // GroovyCollections
        assertSuccess("def n = [1,2,3]; GroovyCollections.max(n)");
+        // Groovy closures
+        assertSuccess("[1, 2, 3, 4].findAll { it % 2 == 0 }");
+        assertSuccess("def buckets=[ [2, 4, 6, 8], [10, 12, 16, 14], [18, 22, 20, 24] ]; buckets[-3..-1].every { it.every { i -> i % 2 == 0 } }");

        // Fail cases:
        assertFailure("pr = Runtime.getRuntime().exec(\"touch /tmp/gotcha\"); pr.waitFor()", MissingPropertyException.class);