Groovy Sandbox
As IntegrationManager runs untrusted Groovy scripts that could contain malicious code, the Groovy scripts must be evaluated inside a sandbox that prevents malicious code. If the sandbox detects a forbidden code, it throws an exception of the type net.pricefx.integration.groovy.GroovyEvaluationException.
Provisioned IM instances have the sandbox enabled by default and this cannot be changed. However, IM core team may extend the whitelist of permitted classes using the integration.groovy-sandbox.custom-allowed-types
 property on config-server. You cannot whitelist blacklisted classes.
Custom IM integrations (e.g. using maven-archetype) have full control over the sandbox and may disable it completely. However, this is strongly discouraged as it can lead to associated issues.
Sandbox Rules
Sandbox recognizes the forbidden code by matching Groovy expressions against a whitelist and blacklist.
Whitelist
Whitelist Whole Package
Since version 5.4.0 it is possible to white list a whole package. It can be done only in GroovySecurityDefaultSettings.java
WHITELISTED_PACKAGES
. Please use it wisely. If you plan to add a new package, check for all possible security issues.
Whitelist per Class
Only operations on types that are assignable to whitelisted types are permitted. The whitelist could be extended with custom classes via configuration. These whitelisted classes can be used in Provisioned IM classes.
Whitelisted types are:Â
com.fasterxml.jackson.databind.ObjectMapper;
groovy.json.JsonBuilder;
groovy.json.JsonDelegate;
groovy.json.JsonOutput;
groovy.json.JsonSlurper;
groovy.lang.Closure;
groovy.lang.Script;
groovy.time.TimeCategory;
groovy.util.slurpersupport.GPathResult;
io.vavr.control.Try;
java.math.RoundingMode;
java.text.SimpleDateFormat;
java.time.DayOfWeek;
java.time.LocalDate;
java.time.LocalDateTime;
java.time.LocalTime;
java.time.Period;
java.time.ZoneId;
java.time.ZoneOffset;
java.time.ZonedDateTime;
java.time.format.DateTimeFormatter;
java.time.temporal.ChronoUnit;
java.util.AbstractCollection;
java.util.ArrayList;
java.util.Arrays;
java.util.BitSet;
java.util.Calendar;
java.util.Collection;
java.util.Collections;
java.util.Comparator;
java.util.Date;
java.util.Formatter;
java.util.HashMap;
java.util.Iterator;
java.util.List;
java.util.Locale;
java.util.Map;
java.util.Random;
java.util.Set;
java.util.TimeZone;
java.util.UUID;
java.util.concurrent.ConcurrentHashMap;
java.util.concurrent.ConcurrentMap;
java.util.concurrent.Future;
java.util.concurrent.TimeoutException;
java.util.function.Function;
lombok.extern.slf4j.Slf4j;
net.pricefx.integration.api.NonRecoverableException;
net.pricefx.integration.api.client.builder.FilterCriteriaBuilder;
net.pricefx.integration.api.client.model.FetchRequest;
net.pricefx.integration.api.client.model.Response;
net.pricefx.integration.connection.service.ConnectionLookup;
net.pricefx.integration.utils.StreamUtils;
net.pricefx.integration.mapper.converter.*;
net.pricefx.integration.messaging.domain.event.PropertyChangedEvent;
org.apache.camel.CamelContext;
org.apache.camel.Exchange;
org.apache.camel.Expression;
org.apache.camel.Message;
org.apache.camel.Predicate;
org.apache.camel.language.xpath.XPathBuilder;
org.apache.camel.spi.PropertiesFunction;
org.apache.camel.util.CaseInsensitiveMap;
org.apache.commons.codec.digest.DigestUtils;
org.apache.commons.collections4.MapUtils;
org.apache.commons.collections4.keyvalue.MultiKey;
org.apache.commons.lang3.ArrayUtils;
org.apache.commons.lang3.BooleanUtils;
org.apache.commons.lang3.StringUtils;
org.apache.commons.lang3.builder.HashCodeBuilder;
org.apache.commons.text.StringEscapeUtils;
org.joda.time.DateTime;
org.joda.time.DateTimeZone;
org.joda.time.Days;
java.text.Format;
java.time.temporal.Temporal;
java.time.temporal.TemporalAmount;
java.util.concurrent.TimeUnit;
java.util.regex.MatchResult;
java.util.regex.Pattern;
java.util.stream.Collectors;
org.slf4j.Logger;
org.slf4j.LoggerFactory;
 For an actual list of whitelisted classes, see the net.pricefx.integration.groovy.IntegrationGroovyInterceptor class in the IntegrationManager version you use.
Blacklist
After the whitelist check is done, a blacklist check follows. The blacklist restricts the following:
Initial capacity of types assignable to
java.lang.CharSequence
,java,lang.Iterable
andjava.util.Map
is not bigger than 30,000.Methods
sleep(..)
andinvokeMethod(..)
are not invoked on any type.Method
execute(..)
is not invoked on theÂjava.lang.String
type.Method
evaluate(..)
is not invoked on theÂgroovy.lang.Script
type.Blacklisted classes:
java.lang.System; java.lang.Class;
Implicit Imports
There are some implicitly imported classes which are not referred by their fully qualified domain name. They are:
groovy.json.JsonBuilder
java.time.*
java.text.*
Configuration
The Groovy sandbox can be configured via application.properties:
Property | Default Value | Since | Description |
---|---|---|---|
| true | 1.1.18 | Turns the Groovy sandbox on or off. |
| 600 | 1.1.18 | Maximum duration in seconds. |
| 1.1.18 | Adds custom classes to the whitelist. A comma separated list of fully qualified domain names of classes to be added to the whitelist. |
Â
IntegrationManager version 5.8.0