Groovy sandbox

Groovy scripts are now executed in a sandbox for security reasons. The sandbox can be configured using Java system properties which can be set in the start scripts of the application server, see Start and stop commands.

The following Java system properties are available:

Syntax to whitelist a method

The following example shows a piece of code which causes an exception in the default configuration, because all method invocations on freemarker.template.Template are blocked by default:

import freemarker.template.Template

 

def onInitialize(taskDescriptor) {}

def onExecute(taskDescriptor) {

Template template = new Template('template', '${firstname} ${lastname}\n', null)

template.process([lastname: 'Smith', firstname: 'John'], new java.io.OutputStreamWriter(System.out))

}

def onError(taskDescriptor) {}

def onCancel(taskDescriptor) {}

This causes the following exception:

com.consol.cmas.common.util.security.groovy.sandbox.GroovySandboxException: Method <init> in class freemarker.template.Template cannot be executed in sandbox mode

You can whitelist the affected method using the following syntax:

-Dcm6.groovy.sandbox.whitelist.regex=freemarker[.]template[.]Template#.*