hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update GroovyInjection.qhelp

Browse Source
This commit is contained in:
Hayk Andriasyan
2021-04-20 15:41:58 +04:00
committed by GitHub
parent f2de440886
commit bb58a50503
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
View File

@@ -29,7 +29,7 @@ The fundamental problem is that Groovy is a dynamic language, yet SecureASTCusto
This makes it very easy for an attacker to bypass many of the intended checks
(see https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).
Therefore, besides SecureASTCustomizer, runtime checks are also necessary before calling Groovy methods
Therefore, besides <code>SecureASTCustomizer</code>, runtime checks are also necessary before calling Groovy methods
(see https://melix.github.io/blog/2015/03/sandboxing.html).
It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM.