hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Style last use of SecureASTCustomizer

Browse Source
This commit is contained in:
Chris Smowton
2021-04-20 12:44:49 +01:00
committed by GitHub
parent bb58a50503
commit 0ec3ee29e4
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
View File

@@ -25,7 +25,7 @@ a Groovy script (see the article "Abusing Meta Programming for Unauthenticated R
Groovy's <code>SecureASTCustomizer</code> allows securing source code by controlling what code constructs are permitted.
This is typically done when using Groovy for its scripting or domain specific language (DSL) features.
The fundamental problem is that Groovy is a dynamic language, yet SecureASTCustomizer works by looking at Groovy AST statically.
The fundamental problem is that Groovy is a dynamic language, yet <code>SecureASTCustomizer</code> works by looking at Groovy AST statically.
This makes it very easy for an attacker to bypass many of the intended checks
(see https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).