Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16271

Groovy Sandbox does need explicit whitelist on nested primitive Array type

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.5.0, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2, 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3, 5.5.2
    • Fix Version/s: 5.5.3, 7.0.0, 6.5.3
    • Component/s: scripting
    • Labels:
      None
    • Needs backport:
      Yes
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When using the Groovy for the OIDC claims map, if you use identity.getBinaryAttributes(attributesSet) where the attributeSet is userCertificate or photo with binary data,

      attribute = "photo"
      attrMap = identity.getBinaryAttributes([ attribute ].toSet())
      logger.error("got Map "+attrMap)
      logger.error("got Attribute from map "+ attrMap.get(attribute))
      

      will end up failing due to need [B and byte to be whitelisted.

      How to reproduce the issue

      1. Create realm
      2. Create a user
      3. Add a user attribute say "photo" and fill be some binary value (anything)
      4. For the realm add photo to the LDAP User attributes
      5. Create a OAuth2Provider (using OIDC wizard)
      6. Create a new OIDC client
      7. Append the above code (before the "return new UserInfoClaim" in the OIDC claims script
      8. Get a password flow for the OIDC
      9. See failure.
      attribute = "photo"
      attrMap = identity.getBinaryAttributes([ attribute ].toSet())
      logger.error("got Map "+attrMap)
      logger.error("got Attribute from map "+ attrMap.get(attribute))
      
      Expected behaviour
      Having just primitive type byte should work but we now need to add ]B whitelist too. Which OPENAM-4347 did not fix completely
      
      Current behaviour
      Fail to work due to need whitelisting (expected) but the details is in the Groovy issue
      

      Work around

      Whitelist anything needed

      Code analysis

      The GroovySandboxValueFilter whould do a while to reduce to the component type to make sure the whitelist only need component type

      54        if (clazz.isArray()) {
      55            clazz = clazz.getComponentType();
      56        }
      

      change the "if" to a "while"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                neil.madden Neil Madden
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: