Security permissions for Groovy JsonSlurper

This commit adds the necessary class permissions and property
permissions for basic Groovy JsonSlurper functionality.

Author: jasontedor

core/src/main/resources/org/elasticsearch/bootstrap/untrusted.policy

@@ -25,6 +25,12 @@ grant {
 
   // groovy IndyInterface bootstrap requires this property for indy logging
   permission java.util.PropertyPermission "groovy.indy.logging", "read";
+
+  // needed by Groovy JsonSlurper
+  permission java.util.PropertyPermission "groovy.json.internKeys", "read";
+  permission java.util.PropertyPermission "jdk.map.althashing.threshold", "read";
+  permission java.util.PropertyPermission "groovy.json.faststringutils.write.to.final.fields", "read";
+  permission java.util.PropertyPermission "groovy.json.faststringutils.disable", "read";
 
   // needed by Rhino engine exception handling
   permission java.util.PropertyPermission "rhino.stack.style", "read";

modules/lang-groovy/build.gradle

@@ -24,6 +24,7 @@ esplugin {
 
 dependencies {
   compile 'org.codehaus.groovy:groovy:2.4.4:indy'
+  compile 'org.codehaus.groovy:groovy-json:2.4.4:indy'
 }
 
 integTest {
@@ -36,7 +37,10 @@ integTest {
 thirdPartyAudit.excludes = [
   // classes are missing, we bring in a minimal groovy dist
   // for example we do not need ivy, scripts arent allowed to download code
-  'com.thoughtworks.xstream.XStream', 
+  'com.thoughtworks.xstream.XStream',
+  'groovy.json.internal.FastStringUtils',
+  'groovy.json.internal.FastStringUtils$StringImplementation$1',
+  'groovy.json.internal.FastStringUtils$StringImplementation$2',
   'groovyjarjarasm.asm.util.Textifiable', 
   'org.apache.ivy.Ivy', 
   'org.apache.ivy.core.event.IvyListener', 

modules/lang-groovy/licenses/groovy-json-2.4.4-indy.jar.sha1

@@ -0,0 +1 @@
+1214cc694b9945278ef61e16dfbfe743dd1cceaf

modules/lang-groovy/licenses/groovy-json-LICENSE.txt

@@ -0,0 +1,15 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+ 

modules/lang-groovy/licenses/groovy-json-NOTICE.txt

@@ -0,0 +1,5 @@
+Apache Commons CLI
+Copyright 2001-2009 The Apache Software Foundation
+
+This product includes software developed by
+The Apache Software Foundation (http://www.apache.org/).

modules/lang-groovy/src/main/plugin-metadata/plugin-security.policy

@@ -56,4 +56,6 @@ grant {
   permission org.elasticsearch.script.ClassPermission "groovy.lang.MetaClass";
   permission org.elasticsearch.script.ClassPermission "groovy.lang.Range";
   permission org.elasticsearch.script.ClassPermission "groovy.lang.Reference";
+  permission org.elasticsearch.script.ClassPermission "groovy.json.JsonSlurper";
+  permission org.elasticsearch.script.ClassPermission "groovy.json.internal.JsonParserCharArray";
 };

modules/lang-groovy/src/test/java/org/elasticsearch/script/groovy/GroovySecurityTests.java

@@ -96,6 +96,8 @@ public void testEvilGroovyScripts() throws Exception {
         // assuming a inflation threshold below 100 (15 is current value on Oracle JVMs), checks that the relevant permission is available.
         assertSuccess("(1..100).collect{ it + 1 }");
 
+        assertSuccess("new groovy.json.JsonSlurper().parseText('{ \"foo\": \"bar\" }')");
+
         // Fail cases:
         assertFailure("pr = Runtime.getRuntime().exec(\"touch /tmp/gotcha\"); pr.waitFor()", MissingPropertyException.class);