Groovy sandbox

Groovy scripts are now executed in a sandbox for security reasons. The sandbox can be configured using Java system properties which can be set in the start scripts of the application server, see Start and stop commands.

The following Java system properties are available:

cm6.groovy.sandbox.enabled
Determines if the sandbox is enabled (true, default value) or disabled (false).

-Dcm6.groovy.sandbox.enabled=false
cm6.groovy.sandbox.blacklists
Determines which predefined list of patterns is used for blocking methods:
- command: blocks the execution of shell commands
- filesystem: blocks access to the file system
The default value is command. Both lists of patterns block bypassing the sandbox. You can configure both lists of patterns as a comma-separated list.

-Dcm6.groovy.sandbox.blacklists=command,filesystem
cm6.groovy.sandbox.whitelist.regex
Optional. Regular expression for whitelisted API calls. Takes precedence over the predefined blacklist.
cm6.groovy.sandbox.blacklist.regex
Optional. Regular expression for blacklisted API calls. Takes precedence over the custom whitelist and the predefined blacklist.
cm6.groovy.sandbox.cache.size
Determines the number of results of pattern matching which are cached (only for predefined backlists). The default value is 10000.

-Dcm6.groovy.sandbox.cache.size=1000
cm6.groovy.sandbox.statistics.invocations.threshold
Determines the number of method invocations which needs to be exceeded for a warning to be written to the log files. The default value is 100000.

-Dcm6.groovy.sandbox.statistics.invocations.threshold=1000
cm6.groovy.sandbox.statistics.details.enabled
Determines if the logging of additional details about method execution is enabled (true) or disabled (false, default value). The statistics shows the most frequently invoked and most time-consuming methods. By default, this feature is disabled as it might impact performance.

-Dcm6.groovy.sandbox.statistics.details.enabled=true

Syntax to whitelist a method

The following example shows a piece of code which causes an exception in the default configuration, because all method invocations on freemarker.template.Template are blocked by default:

import freemarker.template.Template

def onInitialize(taskDescriptor) {}

def onExecute(taskDescriptor) {

Template template = new Template('template', '${firstname} ${lastname}\n', null)

template.process([lastname: 'Smith', firstname: 'John'], new java.io.OutputStreamWriter(System.out))

}

def onError(taskDescriptor) {}

def onCancel(taskDescriptor) {}

This causes the following exception:

com.consol.cmas.common.util.security.groovy.sandbox.GroovySandboxException: Method <init> in class freemarker.template.Template cannot be executed in sandbox mode

You can whitelist the affected method using the following syntax:

-Dcm6.groovy.sandbox.whitelist.regex=freemarker[.]template[.]Template#.*