Disallow method pointer expressions in Groovy scripting

dakrone · dakrone · commit 9b8715719880 · 2015-01-30T17:23:41.000-07:00
diff --git a/src/main/java/org/elasticsearch/script/groovy/GroovySandboxExpressionChecker.java b/src/main/java/org/elasticsearch/script/groovy/GroovySandboxExpressionChecker.java
@@ -21,10 +21,7 @@
 
 import com.google.common.collect.ImmutableSet;
 import org.codehaus.groovy.ast.ClassNode;
-import org.codehaus.groovy.ast.expr.ConstructorCallExpression;
-import org.codehaus.groovy.ast.expr.Expression;
-import org.codehaus.groovy.ast.expr.GStringExpression;
-import org.codehaus.groovy.ast.expr.MethodCallExpression;
+import org.codehaus.groovy.ast.expr.*;
 import org.codehaus.groovy.control.customizers.SecureASTCustomizer;
 import org.elasticsearch.common.settings.Settings;
 
@@ -68,6 +65,7 @@ public GroovySandboxExpressionChecker(Settings settings, Set<String> blacklistAd
             "wait",
             "notify",
             "notifyAll",
+            "invokeMethod",
             "finalize"
     };
 
@@ -119,7 +117,9 @@ public GroovySandboxExpressionChecker(Settings settings, Set<String> blacklistAd
      */
     @Override
     public boolean isAuthorized(Expression expression) {
-        if (expression instanceof MethodCallExpression) {
+        if (expression instanceof MethodPointerExpression) {
+            return false;
+        } else if (expression instanceof MethodCallExpression) {
             MethodCallExpression mce = (MethodCallExpression) expression;
             String methodName = mce.getMethodAsString();
             if (methodBlacklist.contains(methodName)) {
diff --git a/src/test/java/org/elasticsearch/script/GroovySandboxScriptTests.java b/src/test/java/org/elasticsearch/script/GroovySandboxScriptTests.java
@@ -90,6 +90,12 @@ public void testSandboxedGroovyScript() {
 
         testFailure("def methodName = 'ex'; Runtime.\\\"${'get' + 'Runtime'}\\\"().\\\"${methodName}ec\\\"(\\\"touch /tmp/gotcha2\\\")",
                 "Expression [MethodCallExpression] is not allowed: java.lang.Runtime.$(get + Runtime)().$methodNameec(touch /tmp/gotcha2)");
+
+        testFailure("def c = [doc['foo'].value, 3, 4].&size;  c()",
+                "Expression [MethodPointerExpression] is not allowed");
+
+        testFailure("[doc['foo'].value, 3, 4].invokeMethod([1,2],\\\"size\\\", new Object[0])",
+                "Expression [MethodCallExpression] is not allowed: [doc[foo].value, 3, 4].invokeMethod([1, 2], size, [])");
     }
 
     @Test
