Groovy Sandbox

Owned by Ondřej Tesař
Aug 26, 2024
2 min read

As IntegrationManager runs untrusted Groovy scripts that could contain malicious code, the Groovy scripts must be evaluated inside a sandbox that prevents malicious code. If the sandbox detects a forbidden code, it throws an exception of the type net.pricefx.integration.groovy.GroovyEvaluationException.

Provisioned IM instances have the sandbox enabled by default and this cannot be changed. However, IM core team may extend the whitelist of permitted classes using the integration.groovy-sandbox.custom-allowed-types property on config-server. You cannot whitelist blacklisted classes.

Custom IM integrations (e.g. using maven-archetype) have full control over the sandbox and may disable it completely. However, this is strongly discouraged as it can lead to associated issues.

Sandbox Rules

Sandbox recognizes the forbidden code by matching Groovy expressions against a whitelist and blacklist.

Whitelist

Whitelist Whole Package

Since version 5.4.0 it is possible to white list a whole package. It can be done only in GroovySecurityDefaultSettings.java WHITELISTED_PACKAGES. Please use it wisely. If you plan to add a new package, check for all possible security issues.

Whitelist per Class

Only operations on types that are assignable to whitelisted types are permitted. The whitelist could be extended with custom classes via configuration. These whitelisted classes can be used in Provisioned IM classes.

Whitelisted types are: 

com.fasterxml.jackson.databind.ObjectMapper; groovy.json.JsonBuilder; groovy.json.JsonDelegate; groovy.json.JsonOutput; groovy.json.JsonSlurper; groovy.lang.Closure; groovy.lang.Script; groovy.time.TimeCategory; groovy.util.slurpersupport.GPathResult; io.vavr.control.Try; java.math.RoundingMode; java.text.SimpleDateFormat; java.time.DayOfWeek; java.time.LocalDate; java.time.LocalDateTime; java.time.LocalTime; java.time.Period; java.time.ZoneId; java.time.ZoneOffset; java.time.ZonedDateTime; java.time.format.DateTimeFormatter; java.time.temporal.ChronoUnit; java.util.AbstractCollection; java.util.ArrayList; java.util.Arrays; java.util.BitSet; java.util.Calendar; java.util.Collection; java.util.Collections; java.util.Comparator; java.util.Date; java.util.Formatter; java.util.HashMap; java.util.Iterator; java.util.List; java.util.Locale; java.util.Map; java.util.Random; java.util.Set; java.util.TimeZone; java.util.UUID; java.util.concurrent.ConcurrentHashMap; java.util.concurrent.ConcurrentMap; java.util.concurrent.Future; java.util.concurrent.TimeoutException; java.util.function.Function; lombok.extern.slf4j.Slf4j; net.pricefx.integration.api.NonRecoverableException; net.pricefx.integration.api.client.builder.FilterCriteriaBuilder; net.pricefx.integration.api.client.model.FetchRequest; net.pricefx.integration.api.client.model.Response; net.pricefx.integration.connection.service.ConnectionLookup; net.pricefx.integration.utils.StreamUtils; net.pricefx.integration.mapper.converter.*; net.pricefx.integration.messaging.domain.event.PropertyChangedEvent; org.apache.camel.CamelContext; org.apache.camel.Exchange; org.apache.camel.Expression; org.apache.camel.Message; org.apache.camel.Predicate; org.apache.camel.language.xpath.XPathBuilder; org.apache.camel.spi.PropertiesFunction; org.apache.camel.util.CaseInsensitiveMap; org.apache.commons.codec.digest.DigestUtils; org.apache.commons.collections4.MapUtils; org.apache.commons.collections4.keyvalue.MultiKey; org.apache.commons.lang3.ArrayUtils; org.apache.commons.lang3.BooleanUtils; org.apache.commons.lang3.StringUtils; org.apache.commons.lang3.builder.HashCodeBuilder; org.apache.commons.text.StringEscapeUtils; org.joda.time.DateTime; org.joda.time.DateTimeZone; org.joda.time.Days; java.text.Format; java.time.temporal.Temporal; java.time.temporal.TemporalAmount; java.util.concurrent.TimeUnit; java.util.regex.MatchResult; java.util.regex.Pattern; java.util.stream.Collectors; org.slf4j.Logger; org.slf4j.LoggerFactory;

 For an actual list of whitelisted classes, see the net.pricefx.integration.groovy.IntegrationGroovyInterceptor class in the IntegrationManager version you use.

Blacklist

After the whitelist check is done, a blacklist check follows. The blacklist restricts the following:

  • Initial capacity of types assignable to java.lang.CharSequence, java,lang.Iterable and java.util.Map is not bigger than 30,000.

  • Methods sleep(..) and invokeMethod(..) are not invoked on any type.

  • Method execute(..) is not invoked on the java.lang.String type.

  • Method evaluate(..) is not invoked on the groovy.lang.Script type.

  • Blacklisted classes:

    java.lang.System; java.lang.Class;

Implicit Imports

There are some implicitly imported classes which are not referred by their fully qualified domain name. They are:

  • groovy.json.JsonBuilder

  • java.time.*

  • java.text.*

Configuration

The Groovy sandbox can be configured via application.properties:

Property

Default Value

Since

Description

Property

Default Value

Since

Description

integration.groovy-sandbox.enabled

true

1.1.18

Turns the Groovy sandbox on or off.
Cannot be changed on provisioned instances.

integration.groovy-sandbox.timeout

600

1.1.18

Maximum duration in seconds.
Cannot be changed on provisioned instances.

integration.groovy-sandbox.custom-allowed-types



1.1.18

Adds custom classes to the whitelist. A comma separated list of fully qualified domain names of classes to be added to the whitelist.
Can be changed on provisioned instances in the runtime.

 

IntegrationManager version 5.8.0