Unsafe dynamic code execution via GroovyShell
Description
Dynamic evaluation with GroovyShell or GroovyClassLoader using non-literal input is dangerous. It can lead to Remote Code Execution (RCE).
Examples
Insecure Code
java
GroovyShell shell = new GroovyShell(); shell.evaluate(userInput);Secure Code
java
if (ALLOWED_EXPRESSIONS.contains(userInput)) { GroovyShell shell = new GroovyShell(); shell.evaluate(userInput); }Remediation
Use input allowlisting and avoid user input in code evaluation.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0637 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | Remote Code Execution, RCE |
| OWASP | A03:2021-Injection |