Skip to content

Groovy script throws java.lang.NoClassDefFoundError: org/codehaus/groovy/runtime/wrappers/Wrapper #18566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
consulthys opened this issue May 25, 2016 · 4 comments
Closed

Groovy script throws java.lang.NoClassDefFoundError: org/codehaus/groovy/runtime/wrappers/Wrapper #18566

consulthys opened this issue May 25, 2016 · 4 comments

Comments

@consulthys
Copy link
Contributor

On my ES cluster running the latest 2.3.3 release (with groovy scripting enabled), I get the following error...

{
  "error": {
    "root_cause": [
      {
        "type": "script_exception",
        "reason": "failed to run inline script [def rparts = ctx._source.myDate.split('T'); def rtime = rparts[1].split(':'); ctx._source.myMinute = ((rtime[0] as int) * 60) + (rtime[1] as int)] using lang [groovy]"
      }
    ],
    "type": "script_exception",
    "reason": "failed to run inline script [def rparts = ctx._source.myDate.split('T'); def rtime = rparts[1].split(':'); ctx._source.myMinute = ((rtime[0] as int) * 60) + (rtime[1] as int)] using lang [groovy]",
    "caused_by": {
      "type": "bootstrap_method_error",
      "reason": "java.lang.NoClassDefFoundError: org/codehaus/groovy/runtime/wrappers/Wrapper",
      "caused_by": {
        "type": "no_class_def_found_error",
        "reason": "org/codehaus/groovy/runtime/wrappers/Wrapper",
        "caused_by": {
          "type": "class_not_found_exception",
          "reason": "org.codehaus.groovy.runtime.wrappers.Wrapper"
        }
      }
    }
  },
  "status": 500
}

...when I execute the following update-by-query

POST my-index/_update_by_query
{
  "script": {
    "inline": "def rparts = ctx._source.myDate.split('T'); def rtime = rparts[1].split(':'); ctx._source.myMinute = ((rtime[0] as int) * 60) + (rtime[1] as int)"
  },
  "query": {
    "bool": {
      "filter": {
        "missing": {
          "field": "myMinute"
        }
      }
    }
  }
}

It is worth noting that if I add the following class permission to the grants of the /modules/lang-groovy/plugin-security.policy file and restart my cluster, the script executes fine.

permission org.elasticsearch.script.ClassPermission "org.codehaus.groovy.runtime.wrappers.Wrapper";

It is very similar to what's been reported here and to some extent this issue.
@consulthys
Copy link
Contributor Author

I've figured out that the as int type coercion is what's causing the error.

If I change the script to use the explicit new Integer(...) constructor instead of using type coercions, then it works flawlessly.

"inline": "def rparts = ctx._source.myDate.split('T'); def rtime = rparts[1].split(':'); ctx._source.myMinute = (new Integer(rtime[0]) * 60) + new Integer(rtime[1])"

I still think the class permission should be added to the policy file of the lang-groovy module, since type coercion is a perfectly valid groovy construct.

@rmuir
Copy link
Contributor

rmuir commented May 25, 2016

These classes are not whitelisted, because groovy "wrappers" are extremely insecure. For example they augment any List with an execute method.

@rmuir rmuir closed this as completed May 25, 2016
@consulthys
Copy link
Contributor Author

That's fair enough, no big deal since I have an alternative.
Thanks much for your input, Robert.

@cfuerst
Copy link

cfuerst commented Aug 11, 2016

thnx alot @consulthys for sharing this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rmuir @consulthys @cfuerst