Re: [PR] Support for groovy static analysis for groovy scripts [pinot]

Mon, 17 Feb 2025 13:21:57 -0800 


Jackie-Jiang commented on code in PR #14844:
URL: https://github.com/apache/pinot/pull/14844#discussion_r1958777160


##########
pinot-segment-local/src/main/java/org/apache/pinot/segment/local/function/GroovyFunctionEvaluator.java:
##########
@@ -72,13 +83,65 @@ public GroovyFunctionEvaluator(String closure) {
     }
     _numArguments = _arguments.size();
     _binding = new Binding();
-    _script = new 
GroovyShell(_binding).parse(matcher.group(SCRIPT_GROUP_NAME));
+    final String scriptText = matcher.group(SCRIPT_GROUP_NAME);

Review Comment:
   (minor) We don't usually use `final` for local variables



##########
pinot-segment-local/src/main/java/org/apache/pinot/segment/local/function/GroovyFunctionEvaluator.java:
##########
@@ -72,13 +83,65 @@ public GroovyFunctionEvaluator(String closure) {
     }
     _numArguments = _arguments.size();
     _binding = new Binding();
-    _script = new 
GroovyShell(_binding).parse(matcher.group(SCRIPT_GROUP_NAME));
+    final String scriptText = matcher.group(SCRIPT_GROUP_NAME);
+
+    final GroovyStaticAnalyzerConfig groovyStaticAnalyzerConfig = getConfig();
+    _script = createSafeShell(_binding, 
groovyStaticAnalyzerConfig).parse(scriptText);
   }
 
   public static String getGroovyExpressionPrefix() {
     return GROOVY_EXPRESSION_PREFIX;
   }
 
+  /**
+   * This will create a Groovy Shell that is configured with static syntax 
analysis. This static syntax analysis
+   * will that any script which is run is restricted to a specific list of 
allowed operations, thus making it harder
+   * to execute malicious code.
+   *
+   * @param binding Binding instance to be used by Groovy Shell.
+   * @param groovyConfig GroovyStaticAnalyzerConfig instance to be used for 
static syntax analysis.
+   * @return GroovyShell instance with static syntax analysis.
+   */
+  private GroovyShell createSafeShell(Binding binding, 
GroovyStaticAnalyzerConfig groovyConfig) {

Review Comment:
   Do you anticipate performance overhead for the safe shell?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to