The GString concept in Groovy is pretty powerful (see http://groovy.codehaus.org/Strings+and+GString).
GStrings let you do things like:
world = 'World' println 'Hello ${world}' # Output: Hello World println '1+2 = ${1+2}' # Output: 1+2 = 3 println '${System.exit(-1)}' # Program terminated I’m trying to figure out if using Groovy GString:s can introduce security problems in your code similar to SQL injection attacks.
In the example above the code was written by the author of the program, so the execution of the System.exit(-1) command cannot be seen as a security flaw as it was the stated intent of the author.
Let’s say I’m writing a Grails web-app, where user input is taken from form fields (reading POST/GET params) and database tables (using GORM). Let’s assume that an attacker controls both what’s sent as POST/GET requests to the server and what’s in the database.
The code in my app looks like this:
def str1 = params.someParameterControlledByTheAttacker def str2 = SomeGORMPersistedObject.get(1).somePropertyFieldControlledByTheAttacker render 'Hello! Here is some text: ${str1} and ${str2}' Is there any way an attacker can execute code in the above scenario? Why? Why not? My initial hypothesis is that GString usage is always safe. Please feel free to prove me wrong. Please be as concrete as possible.
Update #1: To keep the discussion focused, please disregard any HTML-XSS problems in the code since this question is about code-execution on the server-side, not on the client-side.
Update #2: Some people have pointed out that it is ‘generally a good idea to filter out unwanted strings’. While filtering out ‘potentially bad characters’ might certainly save you from some classes of security problems, it would be even better to write code that would be safe even without filtering. You can compare it with usage of PreparedStatements in the Java JDBC API – correct usage of PreparedStatements is guaranteed to save you from certain classes of injection attacks. Filtering your SQL input will probably give you the same result, but using PreparedStatements strictly dominates the filtering approach IMHO.
No, you won’t have any new problems introduced by the GString mechanism, because the formation of GStrings is a ‘compile time’ phenomenon. While their value may be determined (and changed) at run time their form is not.
Another way of looking at it: anything you can do with GStrings could be done with a closure and string concatenation, with exactly the same semantics; GStrings are just syntactic sugar. Unless you are worried about closures (or, heaven forbid, string concatenation) you shouldn’t worry about GStrings.