groovy-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Owen Rubel <>
Subject Re: Security feedback request: Setting system properties via configuration settings
Date Tue, 18 Aug 2015 14:25:19 GMT
makes perfect sense considering alot of the feedback on the forums.

Owen Rubel

On Tue, Aug 18, 2015 at 2:27 AM, Paul King <> wrote:

> Hi folks,
> We are planning to add the ability to set system properties via the
> @GrabConfig annotation[1]. This will allow scripts which use @Grab to
> access an Ivy/Maven repo via a proxy (e.g. using system property
> http.proxyHost) or specify a trust certificate store (using the
> system property) or set other needed system
> properties. This will use System.setProperty under the covers[2], so a
> well-defined security mechanism is in place.
> We don't see this proposed feature as creating any additional security
> risk since you could just as easily add such system properties when
> invoking the JVM at the command-line or have System.setProperty lines in
> your script - the only difference in the latter case is the timing since
> @Grab does it's magic during class initialization and adds the grabbed jars
> to the classpath if needed, so the properties must be set before the script
> is run.
> While we don't believe this introduces any new risks, we thought we'd ask
> for wider feedback and see if anyone else perceives any possible security
> risk that we might not be aware of and allow us to modify the proposed
> approach[2] if needed to mitigate any such risks.
> Cheers, Paul.
> [1]
> [2]
> ---
> This email has been checked for viruses by Avast antivirus software.

View raw message