I'm building a Grails application that allows a user to write Groovy code, which then gets executed within my framework. This, of course, is a massive security threat, as the user could enter malicious code.
The Groovy classes are being compiled on-the-fly with GroovyClassLoader#parseClass(String).
I would like to heavily restrict the classes and operations that the user-written Groovy class can access. There seem to be two general options, which are not mutually exclusive:
1) To use SecurityManager and a policy file to restrict what code from a specific codeSource is allowed to do,
2) To extend GroovyClassLoader and implement a package whitelist or blacklist to restrict which classes can be accessed by user code.
Untrusted code must not be able to access GORM or the database by any means, read or write to local disk, open network sockets, write to console etc.
I have already implemented the SecurityManager approach and it partially works, blocking the ability to at least read files, open sockets, exit the VM etc.
However the attacker can still write to console via Groovy println(String) (not a significant issue), and worse: she can successfully do User.list() to get all users and their hashed passwords, as well as everything else in the DB! How can I prevent this?
I'm thinking of extending GroovyClassLoader to prevent the user script from loading, for example, my domain classes in the first place. Will this be sufficient? Would you suggest something else? How can I make sure I leave no holes?
You can go another way, not protecting methods, but provide your enviroment to user code(sandbox)
Look here for example.
Also consider white-list politic: denay all but what is not allowed. It will prevent you from forgetting smth critical.