groovy-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Owen Rubel <oru...@gmail.com>
Subject Re: Security feedback request: Setting system properties via configuration settings
Date Tue, 18 Aug 2015 14:25:19 GMT
makes perfect sense considering alot of the feedback on the forums.

Owen Rubel
415-971-0976
orubel@gmail.com

On Tue, Aug 18, 2015 at 2:27 AM, Paul King <paulk@asert.com.au> wrote:

>
> Hi folks,
>
> We are planning to add the ability to set system properties via the
> @GrabConfig annotation[1]. This will allow scripts which use @Grab to
> access an Ivy/Maven repo via a proxy (e.g. using system property
> http.proxyHost) or specify a trust certificate store (using the
> javax.net.ssl.keystore system property) or set other needed system
> properties. This will use System.setProperty under the covers[2], so a
> well-defined security mechanism is in place.
>
> We don't see this proposed feature as creating any additional security
> risk since you could just as easily add such system properties when
> invoking the JVM at the command-line or have System.setProperty lines in
> your script - the only difference in the latter case is the timing since
> @Grab does it's magic during class initialization and adds the grabbed jars
> to the classpath if needed, so the properties must be set before the script
> is run.
>
> While we don't believe this introduces any new risks, we thought we'd ask
> for wider feedback and see if anyone else perceives any possible security
> risk that we might not be aware of and allow us to modify the proposed
> approach[2] if needed to mitigate any such risks.
>
> Cheers, Paul.
> [1] https://issues.apache.org/jira/browse/GROOVY-7548
> [2] https://github.com/apache/incubator-groovy/pull/83
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
>

Mime
View raw message