security/groovy.policy

/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ /* Notes on the contents of this policy file: * * The following methods in groovy have privileged operations wrapping * setAccessible. If these wrappers are not provided, most codebases below * must have the following grant: * permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; * MetaMethod.createMetaMethod * MetaMethod.invoke(Object Object[]) * ReflectionMetaMethod.invoke(Object Object[]) * DefaultGroovyMethods.dump(Object) */ /* * This keystore contains the public key of the pair used to sign GroovyTestJar.jar * See SecurityTest.testReadSignedJar() */ // NOT CURRENTLY USED! //keystore "file:${user.dir}/security/groovykeys"; /* * ================= Codebases requiring java.security.AllPermission =============== * The following codebases require java.security.AllPermission. They are considered trusted * for purposes of groovy security enforcement. In a deployed groovy environment, these classes * would all be in a set of jars. If these jars are signed, the grants could be strengthened to * by adding a signedBy clause to the grant. */ // Eclipse default output directory to allow running security tests in that IDE grant codeBase "file:${user.dir}/bin/-" { permission java.security.AllPermission; }; // IntelliJ IDEA default output directory to allow running security tests in that IDE grant codeBase "file:${user.dir}/out/-" { permission java.security.AllPermission; }; // Gradle build output directory grant codeBase "file:${user.dir}/build/-" { permission java.security.AllPermission; }; grant codeBase "file:${user.dir}/subprojects/groovy-test/build/-" { permission java.security.AllPermission; }; // Gradle dependency cache grant codeBase "file:${user.home}/.gradle/-" { permission java.security.AllPermission; }; grant codeBase "file:${groovy.lib}/-" { permission java.security.AllPermission; }; /* * When running from maven, this codebase is required. * If not running from maven, the codesource will not be found, but will not cause an error. */ grant codeBase "file:${maven.home}/-" { permission java.security.AllPermission; }; /* * When running from Gradle, this codebase is required. * If not running from Gradle, the codesource will not be found, but will not cause an error. */ grant codeBase "file:${gradle.home}/-" { permission java.security.AllPermission; }; grant codeBase "file:${gradle.junit}" { permission java.security.AllPermission; }; /* * When running the junit plugin from within eclipse, this codebase is required. * If not running from eclipse, the codesource will not be found, but will not cause an error. */ grant codeBase "file:${user.dir}/../../plugins/-" { permission java.security.AllPermission; }; /* * ================= Default codebases created by groovy. =============== * The following codebases are assigned when groovy parses a groovy script */ /* * GroovyShell.parse(InputStream,...) is given a codebase of "groovy.shell" because no actual * codebase can be determined. The other forms of parse(File) and parse(GroovyCodeSource) allow * for more control. These permission should be set to control scripts that are passed into * the shell in the form of a string or other groovy code of unknown provenance. */ grant codeBase "file:/groovy/shell" { permission java.lang.RuntimePermission "accessDeclaredMembers"; // For StreamClassloaderInScriptTest.groovy test permission java.io.FilePermission "${user.dir}${/}blahblah.dat", "read,write,delete"; }; /* * Similar to "file:/groovy/shell", but implying a direct call to GroovyClassLoader.parse() without * passing through GroovyShell. */ grant codeBase "file:/groovy/script" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; /* * The TestSupport class has a loadClass method that takes a ClassNode and runs it * through defineClass() of the class loader. The codebase for this operation is * set to "/groovy/testSupport". */ grant codeBase "file:/groovy/testSupport" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; /* * ================= SecurityTest codebases =============== * The following grants are for individual security test cases where the * codebase is explicitly specified (e.g. the script is a raw string rather * than read from a file). Note that even though the codebases conform to * the file URL syntax, they are not physical files: they represent virtual * codebases. * The permission grant that is commented out is the permission that is * expected to be missing by the test case. It is here as a comment for * information. */ //Since a codebase is a URL, we can make use of the natural hierarchy permission implications //to grant a 'global' accessDeclaredPermission here. grant codeBase "file:/groovy/security/-" { permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "getClassLoader"; }; grant codeBase "file:/groovy/security/testForbiddenPackage" { //permission java.lang.RuntimePermission "accessClassInPackage.sun.*"; }; grant codeBase "file:/groovy/security/javax/print/deny" { //permission java.lang.RuntimePermission "accessClassInPackage.javax.print"; }; grant codeBase "file:/groovy/security/javax/print/allow" { permission java.lang.RuntimePermission "accessClassInPackage.javax.print"; }; /* * ================= .groovy script file codebases =============== * The following grants are for individual security test cases. * The permission grant that is commented out is the permission that is * expected to be missing by the test case. It is here as a comment for * information. */ grant codeBase "file:${user.dir}/src/test/groovy/-" { // Required by most groovy scripts during execution because of the heavy use of reflection/ // introspection. The groovy code could potentially be changed to eliminate this requirement // by adding privileged operations in many places. permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${user.dir}/src/test/groovy/groovy/security/forbiddenCodeBase.gvy" { //The following grant is commented out so that the test case will throw an AccessControlException //permission groovy.security.GroovyCodeSourcePermission "/groovy/security/forbiddenCodeBase"; }; // Grant permission to .groovy files extracted from a signed jar that has been signedBy "Groovy" grant signedBy "Groovy" { permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "user.home", "read"; }; grant codeBase "file:${user.dir}/src/test/groovy/bugs/BadScriptNameBug.groovy" { permission java.lang.RuntimePermission "createClassLoader"; permission java.util.PropertyPermission "groovy.compiler.strictNames", "read"; }; grant codeBase "file:${user.dir}/src/test/groovy/groovy/ClosureMethodTest.groovy" { permission java.lang.RuntimePermission "getClassLoader"; }; grant codeBase "file:${user.dir}/src/test/groovy/groovy/ClosureWithDefaultParamTest.groovy" { permission java.lang.RuntimePermission "getClassLoader"; permission java.io.FilePermission "src${/}test${/}-", "read"; // Required because test calls File.eachLine which eventually invokes // groovy.util.CharsetToolkit#getDefaultSystemCharset which does not wrap // the property access in a privileged block. permission java.util.PropertyPermission "file.encoding", "read"; }; grant codeBase "file:${user.dir}/src/test/groovy/bugs/ConstructorBug.groovy" { permission java.lang.RuntimePermission "createClassLoader"; // Required because GroovyCodeSource calls to File#getCanonicalPath (at least on the Windows FileSystem) permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "groovy.compiler.strictNames", "read"; permission java.io.FilePermission "src${/}test${/}groovy${/}bugs${/}TestBase.groovy", "read"; permission java.io.FilePermission "src${/}test${/}groovy${/}bugs${/}TestDerived.groovy", "read"; permission java.io.FilePermission "${user.dir}${/}target${/}classes${/}test${/}groovy${/}bugs${/}TestBase.class", "read"; permission java.io.FilePermission "${user.dir}${/}target${/}classes${/}test${/}groovy${/}bugs${/}TestDerived.class", "read"; }; grant codeBase "file:${user.dir}/src/test/groovy/groovy/script/ScriptTest.groovy" { permission java.io.FilePermission "src${/}test${/}groovy${/}-", "read"; permission groovy.security.GroovyCodeSourcePermission "/groovy/shell"; // Required because GroovyCodeSource calls to File#getCanonicalPath (at least on the Windows FileSystem) permission java.util.PropertyPermission "user.dir", "read"; // Required by MethodTestScript.groovy run as a script permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; // Required by StreamClassloaderInScriptTest.groovy run as a script permission java.io.FilePermission "${user.dir}${/}blahblah.dat", "read,write,delete"; // Required for JUnit to report errors for scripts that are junit test cases permission java.util.PropertyPermission "user.home", "read"; permission java.io.FilePermission "${user.home}${/}junit.properties", "read"; // Required for Gradle 4.7+ printing a line triggered by running the script permission java.util.PropertyPermission "line.separator", "read"; }; grant codeBase "file:${user.dir}/src/test/groovy/groovy/script/EvalInScript.groovy" { permission java.io.FilePermission "src${/}test${/}groovy${/}script${/}HelloWorld.groovy", "read"; permission groovy.security.GroovyCodeSourcePermission "/groovy/shell"; // Required because GroovyCodeSource calls to File#getCanonicalPath (at least on the Windows FileSystem) permission java.util.PropertyPermission "user.dir", "read"; }; grant codeBase "file:${user.dir}/src/test/groovy/groovy/script/MethodTestScript.groovy" { permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; }; grant codeBase "file:${user.dir}/src/test/groovy/groovy/script/StreamClassloaderInScriptTest.groovy" { permission groovy.security.GroovyCodeSourcePermission "/groovy/shell"; permission java.io.FilePermission "${user.dir}${/}blahblah.dat", "read,write,delete"; }; grant { // Required to load Global AST Transforms permission java.io.FilePermission "${user.dir}${/}target${/}resources${/}main${/}META-INF${/}services${/}-", "read"; permission java.io.FilePermission "${user.dir}${/}target${/}libs${/}-", "read"; // Required for StreamClassloaderInScriptTest permission java.io.FilePermission "${java.home}${/}-", "read"; };

security/groovy.policy (226 lines of code) (raw):