Sandbox for Groovy scripts (#647193)

Groovy scripts written on the Scripts page of the Web Admin Suite / Admin Tool and in the Process Designer are now executed in a sandbox for security reasons. The sandbox can be configured using Java system properties which can be set in the start scripts of the application server.

The following Java system properties are available:

• cm6.groovy.sandbox.enabled
  Determines if the sandbox is enabled (true, default value) or disabled (false).

  -Dcm6.groovy.sandbox.enabled=false

• cm6.groovy.sandbox.blacklists
  Determines which predefined list of patterns is used for blocking methods:

  • command: blocks the execution of shell commands

  • filesystem: blocks access to the file system

  The default value is command. Both lists of patterns block bypassing the sandbox. You can configure both lists of patterns as a comma-separated list.

  -Dcm6.groovy.sandbox.blacklists=command,filesystem

• cm6.groovy.sandbox.whitelist.regex
  Optional. Regular expression for whitelisted API calls. Takes precedence over the predefined blacklist.

• cm6.groovy.sandbox.blacklist.regex
  Optional. Regular expression for blacklisted API calls. Takes precedence over the custom whitelist and the predefined blacklist.

• cm6.groovy.sandbox.cache.size
  Determines the number of results of pattern matching which are cached (only for predefined backlists). The default value is 10000.

  -Dcm6.groovy.sandbox.cache.size=1000

• cm6.groovy.sandbox.statistics.invocations.threshold
  Determines the number of method invocations which needs to be exceeded for a warning to be written to the log files. The default value is 100000.

  -Dcm6.groovy.sandbox.statistics.invocations.threshold=1000

• cm6.groovy.sandbox.statistics.details.enabled
  Determines if the logging of additional details about method execution is enabled (true) or disabled (false, default value). The statistics shows the most frequently invoked and most time-consuming methods. By default, this feature is disabled as it might impact performance.

  -Dcm6.groovy.sandbox.statistics.details.enabled=true