-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.1, 6.5.0, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2, 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3, 5.5.2
-
Component/s: scripting
-
Labels:None
Bug description
When using the Groovy for the OIDC claims map, if you use identity.getBinaryAttributes(attributesSet) where the attributeSet is userCertificate or photo with binary data,
attribute = "photo" attrMap = identity.getBinaryAttributes([ attribute ].toSet()) logger.error("got Map "+attrMap) logger.error("got Attribute from map "+ attrMap.get(attribute))
will end up failing due to need [B and byte to be whitelisted.
How to reproduce the issue
- Create realm
- Create a user
- Add a user attribute say "photo" and fill be some binary value (anything)
- For the realm add photo to the LDAP User attributes
- Create a OAuth2Provider (using OIDC wizard)
- Create a new OIDC client
- Append the above code (before the "return new UserInfoClaim" in the OIDC claims script
- Get a password flow for the OIDC
- See failure.
attribute = "photo" attrMap = identity.getBinaryAttributes([ attribute ].toSet()) logger.error("got Map "+attrMap) logger.error("got Attribute from map "+ attrMap.get(attribute))
Expected behaviour
Having just primitive type byte should work but we now need to add ]B whitelist too. Which OPENAM-4347 did not fix completely
Current behaviour
Fail to work due to need whitelisting (expected) but the details is in the Groovy issue
Work around
Whitelist anything needed
Code analysis
The GroovySandboxValueFilter whould do a while to reduce to the component type to make sure the whitelist only need component type
54 if (clazz.isArray()) {
55 clazz = clazz.getComponentType();
56 }
change the "if" to a "while"
- is caused by
-
-
- Closed
-