Uploaded image for project: 'Hippo Repository'
  1. Hippo Repository
  2. REPO-1339

It's possible to call OS commands from Groovy script

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 2.24.16, 2.26.16, 3.0.0
    • Fix Version/s: 3.1.0
    • Labels:
    • Similar issues:

      Description

      While the GroovyUpdaterClassLoader applies some blacklisting and compilation checks to prevent very obvious mistakes and misuse, it is still (too) easy to workaround this.
      A bit more hardening against such easy workarounds can be applied.

      Note though that it is not intended nor assumed that the GroovyUpdaterClassLoader provides a full blown and trusted Groovy security sandbox, guarding against all possible misuse.
      Proper securing against misuse of the capabilities of Groovy in the context of Groovy Updater scripts relies on the usage and access to those scripts, e.g. to be limited to trusted developers and administrators only.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                adouma Ate Douma
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: