Groovy Sandbox | Pricefx Knowledge Base

As IntegrationManager runs untrusted Groovy scripts that could contain malicious code, the Groovy scripts must be evaluated inside a sandbox that prevents malicious code. If the sandbox detects a forbidden code, it throws an exception of the type net.pricefx.integration.groovy.GroovyEvaluationException.

The sandbox is always enabled on provisioned instances and cannot be disabled. The IM core team may extend the whitelist of permitted classes using the integration.groovy-sandbox.custom-allowed-types property on config-server. You cannot whitelist blacklisted classes.

Sandbox Rules

Sandbox recognizes the forbidden code by matching Groovy expressions against a whitelist and blacklist.

Whitelist

Whitelist Whole Package

Since version 5.4.0 it is possible to whitelist a whole package. It can be done only in GroovySecurityDefaultSettings.java WHITELISTED_PACKAGES. Please use it wisely. If you plan to add a new package, check for all possible security issues.

Whitelist per Class

Only operations on types that are assignable to whitelisted types are permitted. The whitelist can be extended with custom classes via configuration.

Commonly used whitelisted types include:

Category	Classes
JSON	`JsonBuilder`, `JsonOutput`, `JsonSlurper`, `ObjectMapper`
Date/Time	`LocalDate`, `LocalDateTime`, `ZonedDateTime`, `DateTimeFormatter`, `ChronoUnit`, `DateTime` (Joda)
Collections	`ArrayList`, `HashMap`, `Collections`, `Arrays`, `Set`, `List`, `Map`
Strings	`StringUtils`, `StringEscapeUtils`, `Pattern`
Math	`RoundingMode`, `BigDecimal` (implicit), `BigInteger` (implicit)
Camel	`Exchange`, `Message`, `CamelContext`, `Expression`, `Predicate`
Pricefx	`NonRecoverableException`, `FilterCriteriaBuilder`, `FetchRequest`, `Response`, `ConnectionLookup`, `StreamUtils`
Logging	`Logger`, `LoggerFactory`, `@Slf4j`

For the full list, see net.pricefx.integration.groovy.IntegrationGroovyInterceptor in the IM version you use.

Blacklist

After the whitelist check, a blacklist check follows:

Initial capacity of CharSequence, Iterable, and Map types cannot exceed 30,000
Methods sleep(..) and invokeMethod(..) are blocked on any type
Method execute(..) is blocked on java.lang.String
Method evaluate(..) is blocked on groovy.lang.Script
Blacklisted classes: java.lang.System, java.lang.Class

Implicit Imports

These classes are available without fully qualified names:

groovy.json.JsonBuilder
java.time.*
java.text.*

Anonymous Classes Not Allowed

In Groovy sandboxed environments, anonymous inner classes and closures that capture external variables are not allowed (OpenJDK 17/21, Groovy 4.0.15).

Workaround: Replace anonymous classes with explicitly named classes:

Groovy

// BAD - anonymous class (will fail in sandbox)
exchange.getExchangeExtension().addOnCompletion(new Synchronization() {
    @Override
    void onComplete(Exchange ex) { toDelete.delete() }
    @Override
    void onFailure(Exchange ex) { }
})

// GOOD - named static class
private static class IMSynchronization implements Synchronization {
    private final File fileToDelete
    IMSynchronization(File toDelete) { this.fileToDelete = toDelete }
    @Override
    void onComplete(Exchange ex) { fileToDelete.delete() }
    @Override
    void onFailure(Exchange ex) { }
}

exchange.getExchangeExtension().addOnCompletion(new IMSynchronization(toDelete))

Configuration

Property	Default	Since	Description
`integration.groovy-sandbox.enabled`	`true`	1.1.18	Turns the Groovy sandbox on or off. Cannot be changed on provisioned instances.
`integration.groovy-sandbox.timeout`	`600`	1.1.18	Maximum script execution duration in seconds. Cannot be changed on provisioned instances.
`integration.groovy-sandbox.custom-allowed-types`		1.1.18	Comma-separated list of FQCNs to add to the whitelist. Can be changed on provisioned instances at runtime.