blacklist additional methods

CleanroomMC · Jul 11, 2024 · fa48e29 · fa48e29
1 parent 6d63e46
commit fa48e29
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 6 deletions.
diff --git a/src/main/java/com/cleanroommc/groovyscript/core/mixin/groovy/MetaClassImplMixin.java b/src/main/java/com/cleanroommc/groovyscript/core/mixin/groovy/MetaClassImplMixin.java
@@ -1,16 +1,20 @@
 package com.cleanroommc.groovyscript.core.mixin.groovy;
 
 import com.cleanroommc.groovyscript.GroovyScript;
+import com.cleanroommc.groovyscript.api.GroovyLog;
 import com.cleanroommc.groovyscript.api.IDynamicGroovyProperty;
+import com.cleanroommc.groovyscript.sandbox.security.GroovySecurityManager;
 import groovy.lang.*;
+import org.codehaus.groovy.reflection.CachedClass;
 import org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl;
 import org.spongepowered.asm.mixin.Mixin;
-import org.spongepowered.asm.mixin.Overwrite;
-import org.spongepowered.asm.mixin.Shadow;
+import org.spongepowered.asm.mixin.*;
 import org.spongepowered.asm.mixin.injection.At;
 import org.spongepowered.asm.mixin.injection.Inject;
+import org.spongepowered.asm.mixin.injection.callback.CallbackInfo;
 import org.spongepowered.asm.mixin.injection.callback.CallbackInfoReturnable;
 
+import java.util.Arrays;
 import java.util.Map;
 
 @Mixin(value = MetaClassImpl.class, remap = false)
@@ -28,6 +32,50 @@ public abstract class MetaClassImplMixin {
     @Shadow
     protected abstract MetaProperty getMetaProperty(String name, boolean useStatic);
 
+    @Shadow
+    protected abstract MetaMethod[] getNewMetaMethods(CachedClass c);
+
+    @Shadow
+    public abstract CachedClass getTheCachedClass();
+
+    @Mutable
+    @Shadow
+    @Final
+    private MetaMethod[] myNewMetaMethods;
+
+    @Mutable
+    @Shadow
+    @Final
+    private MetaMethod[] additionalMetaMethods;
+
+    @Inject(method = "<init>(Ljava/lang/Class;[Lgroovy/lang/MetaMethod;)V", at = @At("TAIL"))
+    public void removeBlacklistedAdditional(Class<?> theClass, MetaMethod[] add, CallbackInfo ci) {
+        if (additionalMetaMethods.length > 0) {
+            MetaMethod[] mms = new MetaMethod[additionalMetaMethods.length];
+            int i = 0;
+            for (MetaMethod mm : additionalMetaMethods) {
+                if (GroovySecurityManager.INSTANCE.isValid(mm)) {
+                    mms[i++] = mm;
+                }
+            }
+            if (i != additionalMetaMethods.length) {
+                additionalMetaMethods = Arrays.copyOf(mms, i);
+            }
+        }
+        if (myNewMetaMethods.length > 0) {
+            MetaMethod[] mms = new MetaMethod[myNewMetaMethods.length];
+            int i = 0;
+            for (MetaMethod mm : myNewMetaMethods) {
+                if (GroovySecurityManager.INSTANCE.isValid(mm)) {
+                    mms[i++] = mm;
+                }
+            }
+            if (i != myNewMetaMethods.length) {
+                myNewMetaMethods = Arrays.copyOf(mms, i);
+            }
+        }
+    }
+
     @Inject(method = "invokeMethod(Ljava/lang/Class;Ljava/lang/Object;Ljava/lang/String;[Ljava/lang/Object;ZZ)Ljava/lang/Object;", at = @At("HEAD"), cancellable = true)
     public void invokeMethod(Class<?> sender, Object object, String methodName, Object[] arguments, boolean isCallToSuper, boolean fromInsideClass, CallbackInfoReturnable<Object> cir) {
         try {

diff --git a/src/main/java/com/cleanroommc/groovyscript/sandbox/security/GroovySecurityManager.java b/src/main/java/com/cleanroommc/groovyscript/sandbox/security/GroovySecurityManager.java
@@ -5,17 +5,15 @@
 import com.cleanroommc.groovyscript.sandbox.expand.LambdaClosure;
 import groovy.lang.GroovyClassLoader;
 import groovy.lang.GroovyShell;
+import groovy.lang.MetaMethod;
 import groovy.ui.GroovyMain;
 import groovy.ui.GroovySocketServer;
 import groovy.util.Eval;
 import groovy.util.GroovyScriptEngine;
 import it.unimi.dsi.fastutil.objects.Object2ObjectOpenHashMap;
 import it.unimi.dsi.fastutil.objects.ObjectOpenHashSet;
 import org.apache.commons.io.FileUtils;
-import org.codehaus.groovy.runtime.FormatHelper;
-import org.codehaus.groovy.runtime.GStringImpl;
-import org.codehaus.groovy.runtime.NullObject;
-import org.codehaus.groovy.runtime.RegexSupport;
+import org.codehaus.groovy.runtime.*;
 
 import java.io.PrintWriter;
 import java.lang.reflect.Field;
@@ -62,6 +60,8 @@ public void initDefaults() {
         banClasses(GroovyScriptEngine.class, Eval.class, GroovyMain.class, GroovySocketServer.class, GroovyShell.class, GroovyClassLoader.class);
         banMethods(System.class, "exit", "gc", "setSecurityManager");
         banMethods(Class.class, "getResource", "getResourceAsStream");
+        banMethods(String.class, "execute");
+        banMethods(ProcessGroovyMethods.class, "execute");
         banClasses(FileUtils.class, org.apache.logging.log4j.core.util.FileUtils.class);
 
         // mod specific
@@ -109,6 +109,10 @@ public boolean isValid(Method method) {
                !method.isAnnotationPresent(GroovyBlacklist.class);
     }
 
+    public boolean isValid(MetaMethod method) {
+        return isValidMethod(method.getDeclaringClass().getTheClass(), method.getName());
+    }
+
     public boolean isValid(Field field) {
         return !field.isAnnotationPresent(GroovyBlacklist.class);
     }