Script Sandbox Configuration¶
When a script is executed all code is validated against a blacklist of insecure expressions to prevent code that could compromise the system. When you try to execute a script that contains insecure expressions you will see an error similar to this:
UnsupportedOperationException: Insecure call staticMethod java.lang.Runtime getRuntime ...
It is recommended to keep the default configuration if possible. However, if a site requires access to one or more of the blacklisted expressions it is possible to override the configuration:
When you allow a script to make an insecure call you should make sure it can only be executed with known arguments and never with unverified user input.
Using a custom blacklist¶
Crafter Engine includes a default blacklist that you can find here. Make sure you review the branch/tag you’re using.
To use a custom blacklist follow these steps:
Copy the default blacklist file to your classpath, for example:
Remove or comment (adding a
#at the beginning of the line) the expressions that your scripts require
Update the configuration to load the custom blacklist:
# Use a custom blacklist for the sandbox crafter.engine.groovy.sandbox.blacklist=classpath:crafter/engine/extension/groovy/blacklist
Restart Crafter CMS
Now you can execute the same script without any issues.
Adding dependencies with Grapes¶
If your Groovy code need to use external dependencies you can use Grapes, however, when the Groovy sandbox is enabled
dependencies can only be downloaded during the initial compilation and not during runtime. For this reason it is
required to add an extra parameter
initClass=false in the annotations to prevent them to be copied to the classes:
@Grab(group='org.apache.commons', module='commons-pool2', version='2.8.0', initClass=false) @Grab(value='org.apache.commons:commons-pool2:2.8.0', initClass=false)
Disabling the Groovy Sandbox¶
It is possible to completely disable the Groovy sandbox for all scripts. To disable the sandbox for all sites update the server configuration file:
# Disable the script sandbox for all sites crafter.engine.groovy.sandbox.enable=false