执行外部 groovy 脚本,System.exit()...敏感方法、死循环、超时循环...解决方案

其他 2023-07-01 04:38:36 阅读次数: 0 
import groovy.lang.GroovyClassLoader;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class GroovyClassLocaderConfig {

	@Bean
	public GroovyClassLoader groovyClassLoader( ) {
		GroovyClassLoader classLoader = new GroovyClassLoader();
		return classLoader;
	}
}

import java.security.Permission;

public class GroovySecurityManager extends SecurityManager{
    @Override
    public void checkExit(int status) {
        throw new SecurityException();
    }

    @Override
    public void checkPermission(Permission permission) {
        // 允许其他行为
    }
}


import GroovyClassCacheUtils;
import groovy.lang.GroovyObject;

public class GroovyExector{

    private static final String EXPRESS_SAFE_CHECK_PREVFIX = "import xxx.GroovySecurityManager;\n" +
                                                             "import groovy.transform.TimedInterrupt;\n" +
                                                             "import java.util.concurrent.TimeUnit;\n" +
                                                             "@TimedInterrupt(unit = TimeUnit.MILLISECONDS, value = 10000L)\n" +
                                                             "@groovy.transform.ThreadInterrupt\n" +
                                                             "def safeMethod( serviceBeans ){\n" +
                                                                 // 运行其他『危险』指令之前执行
                                                             "    GroovySecurityManager secManager = new GroovySecurityManager();\n" +
                                                             "    System.setSecurityManager(secManager);\n" +
                                                             "    bootMethod(serviceBeans );\n" +
                                                             "}\n";
    public static Object execute( String express ) {
        try {
            String express_safe = EXPRESS_SAFE_CHECK_PREVFIX + express;
            Class scriptClass = GroovyClassCacheUtils.getClassByGroovyScript( express_safe );
            GroovyObject groovyInstance = (GroovyObject) scriptClass.newInstance();
            try {
                Object testResult = groovyInstance.invokeMethod("safeMethod","xxx");
                if( testResult == null ){
                    throw new BusinessException( "groovy 脚本 bootMethod 方法缺少返回值" );
                }
                return testResult;
            }catch ( SecurityException e ){
                throw new BusinessException( "检测到恶意用户代码..." );
            }
        }catch ( Exception e ){
            throw new BusinessException( e.getMessage() );
        }
    }
}

public class Test(){
     public static void main(String[] args) {
        String express = "def bootMethod(  ){\n" +
                        "   int i = 0;\n" +
                        "   while( true ){\n" +
                        "       System.out.println( i++ );\n" +
                        "       Thread.sleep( 100L );\n" +
                        "   }\n" +
                        "   System.exit( 0 );\n" +
                        "}";

        GroovyExector.execute( express );
    }
}
import groovy.lang.GroovyClassLoader;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

import java.util.HashMap;
import java.util.Map;

@Component
public class GroovyClassCacheUtils {

    private static GroovyClassLoader groovyClassLoader;

    @Autowired
    public void setGroovyClassLoader( GroovyClassLoader groovyClassLoader ) {
        GroovyClassCacheUtils.groovyClassLoader = groovyClassLoader;
    }

    /**
     * 缓存 md5 和 groovy 脚本解析生成的 java class 的 map
     */
    private static final Map<String,Class> GROOVY_CLASS_MAP = new HashMap<>();

    /**
     * 该方法可能在多线程环境下使用,所以要加锁
     * @param groovyScript
     */
    public static Class getClassByGroovyScript( String groovyScript ){
        String md5 = MD5Utils.generateStringMD5(groovyScript);
        Class scriptClass = GroovyClassCacheUtils.GROOVY_CLASS_MAP.get( md5 );
        if( scriptClass == null ){
            synchronized(GroovyClassCacheUtils.class){
                if( scriptClass == null ){
                    scriptClass = GroovyClassCacheUtils.groovyClassLoader.parseClass( groovyScript );
                    GroovyClassCacheUtils.GROOVY_CLASS_MAP.put( md5,scriptClass );
                }
            }
        }
        return scriptClass;
    }
}

ps:这里有一个坑,就是当 class GroovySecurityManager 定义在 groovy 脚本里面的话,使用 @TimedInterrupt(unit = TimeUnit.MILLISECONDS, value = 10000L) 和 @groovy.transform.ThreadInterrupt 注解,会发生 Stack Overflow

猜你喜欢

转载自blog.csdn.net/heshiyuan1406146854/article/details/128938867
今日推荐
周排行
vue + echart +map中国地图,省市地图,区县地图
spring boot2 (31)-cors跨域请求
『学习资料推荐』299元买的微信营销资料打包
个人学习卷积神经网络的疑惑解答
网络工程师-软考
模拟人生4 春夏秋冬、星梦起飞版更新下载方法以及常见问题
python关于对象的字符串显示str和repr以及
奇怪的session混乱问题
【3】分治法(divide-and-conquer)
Java项目开发成绩管理系统(九) 各模块实现信息修改
每日归档
更多
2024-08-07(0)
2024-08-06(0)
2024-08-05(0)
2024-08-04(0)
2024-08-03(0)
2024-08-02(0)
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022