Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security permissions for Groovy closures #16196

Closed
wants to merge 3 commits into from
Closed

Security permissions for Groovy closures #16196

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3ad388b
Security permissions for Groovy closures
jasontedor Jan 23, 2016
b33bd63
Groovy closure integration test to unit test
jasontedor Jan 24, 2016
f034435
Additional security permission for Groovy closures
jasontedor Jan 25, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions modules/lang-groovy/src/main/plugin-metadata/plugin-security.policy
View file
Open in desktop
Expand Up @@ -25,6 +25,7 @@ grant {
// needed by groovy engine
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rmuir should look at this...there was an enormous amount of work that went into removing this permission across elasticsearch.

// needed by GroovyScriptEngineService to close its classloader (why?)
permission java.lang.RuntimePermission "closeClassLoader";
// Allow executing groovy scripts with codesource of /untrusted
Expand All @@ -48,4 +49,8 @@ grant {
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation";
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.vmplugin.v7.IndyInterface";
permission org.elasticsearch.script.ClassPermission "sun.reflect.ConstructorAccessorImpl";

permission org.elasticsearch.script.ClassPermission "groovy.lang.Closure";
permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.GeneratedClosure";
permission org.elasticsearch.script.ClassPermission "groovy.lang.MetaClass";
};
15 changes: 15 additions & 0 deletions modules/lang-groovy/src/test/java/org/elasticsearch/script/groovy/GroovyScriptTests.java
View file
Open in desktop
Expand Up @@ -51,6 +51,7 @@
*/
// TODO: refactor into unit test or proper rest tests
public class GroovyScriptTests extends ESIntegTestCase {

@Override
protected Collection<Class<? extends Plugin>> nodePlugins() {
return Collections.singleton(GroovyPlugin.class);
Expand All @@ -73,6 +74,20 @@ public void assertScript(String scriptString) {
assertNoFailures(resp);
}

public void testUseClosure() {
client().prepareIndex("test", "type", "1").setSource("message", "This is a message!").setSource("numbers", new int[] { 1, 2, 3, 4 }).setRefresh(true).get();
client().prepareIndex("test", "type", "1").setSource("message", "This is a message! too").setSource("numbers", new int[] { 4, 2, 3, 5 }).setRefresh(true).get();

SearchSourceBuilder searchSourceBuilder =
SearchSourceBuilder
.searchSource()
.scriptField("use_closure", new Script("doc['numbers'].values.findAll { it % 2 == 0 }", ScriptType.INLINE, "groovy", null));
SearchResponse response = client().prepareSearch()
.setSource(searchSourceBuilder)
.get();
assertNoFailures(response);
}

public void testGroovyExceptionSerialization() throws Exception {
List<IndexRequestBuilder> reqs = new ArrayList<>();
for (int i = 0; i < randomIntBetween(50, 500); i++) {
Expand Down