groovy-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul King <pa...@asert.com.au>
Subject Security feedback request: Setting system properties via configuration settings
Date Tue, 18 Aug 2015 09:27:11 GMT

Hi folks,

We are planning to add the ability to set system properties via the @GrabConfig annotation[1].
This will allow scripts which use @Grab to access an Ivy/Maven repo via a proxy (e.g. using
system property http.proxyHost) or specify a trust certificate store (using the javax.net.ssl.keystore
system property) or set other needed system properties. This will use System.setProperty under
the covers[2], so a well-defined security mechanism is in place.

We don't see this proposed feature as creating any additional security risk since you could
just as easily add such system properties when invoking the JVM at the command-line or have
System.setProperty lines in your script - the only difference in the latter case is the timing
since @Grab does it's magic during class initialization and adds the grabbed jars to the classpath
if needed, so the properties must be set before the script is run.

While we don't believe this introduces any new risks, we thought we'd ask for wider feedback
and see if anyone else perceives any possible security risk that we might not be aware of
and allow us to modify the proposed approach[2] if needed to mitigate any such risks.

Cheers, Paul.
[1] https://issues.apache.org/jira/browse/GROOVY-7548
[2] https://github.com/apache/incubator-groovy/pull/83

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


Mime
View raw message