Skip to main content

Groovy sandbox

Groovy scripts are executed in a sandbox for security reasons. The sandbox can be configured using Java system properties which can be set in the start scripts of the application server, see Starting and stopping ConSol CM.

The following Java system properties are available:

  • cm6.groovy.sandbox.enabled: Determines if the sandbox is enabled ("true", default value) or "disabled" (false).

    -Dcm6.groovy.sandbox.enabled=false

  • cm6.groovy.sandbox.blacklists: Determines which predefined list of patterns is used for blocking methods:

    • command: blocks the execution of shell commands
    • filesystem: blocks access to the file system

    The default value is command. Both lists of patterns block bypassing the sandbox. You can configure both lists of patterns as a comma-separated list.

    -Dcm6.groovy.sandbox.blacklists=command,filesystem

  • cm6.groovy.sandbox.whitelist.regex: Optional. Regular expression for whitelisted API calls. Takes precedence over the predefined blacklist.

  • cm6.groovy.sandbox.blacklist.regex: Optional. Regular expression for blacklisted API calls. Takes precedence over the custom whitelist and the predefined blacklist.

  • cm6.groovy.sandbox.cache.size: Determines the number of results of pattern matching which are cached (only for predefined backlists). The default value is 10000.

    -Dcm6.groovy.sandbox.cache.size=1000

  • cm6.groovy.sandbox.statistics.invocations.threshold: Determines the number of method invocations which needs to be exceeded for a warning to be written to the log files. The default value is 100000.

    -Dcm6.groovy.sandbox.statistics.invocations.threshold=1000

  • cm6.groovy.sandbox.statistics.details.enabled: Determines if the logging of additional details about method execution is enabled ("true") or disabled ("false", default value). The statistics shows the most frequently invoked and most time-consuming methods. By default, this feature is disabled as it might impact performance.

    -Dcm6.groovy.sandbox.statistics.details.enabled=true

Syntax to whitelist a method

The following example shows a piece of code which causes an exception in the default configuration, because all method invocations on freemarker.template.Template are blocked by default:

import freemarker.template.Template

def onInitialize(taskDescriptor) {}
def onExecute(taskDescriptor) {
  Template template = new Template('template', '${firstname} ${lastname}\n', null)
  template.process([lastname: 'Smith', firstname: 'John'], new java.io.OutputStreamWriter(System.out))
}
def onError(taskDescriptor) {}
def onCancel(taskDescriptor) {}

This causes the following exception:

com.consol.cmas.common.util.security.groovy.sandbox.GroovySandboxException: Method <init> in class freemarker.template.Template cannot be executed in sandbox mode

You can whitelist the affected method using the following syntax:

-Dcm6.groovy.sandbox.whitelist.regex=freemarker[.]template[.]Template#.*