GR
Groovy Security
Security practices for Groovy applications
Details
Language / Topic
GroovyCategory
Security
Rules
balanced
- Never evaluate user-supplied strings with `Eval.me()` or `GroovyShell.evaluate()` — arbitrary Groovy execution is equivalent to remote code execution.
- Use parameterized queries or a type-safe ORM instead of string interpolation in SQL: `"SELECT * FROM users WHERE id = ${userId}"` is SQL injection.
- Sanitize all user input before using it in file paths — never pass unvalidated strings to `new File(userInput)`.
- Use the `@groovy.transform.PackageScope` annotation to restrict class member visibility within a package boundary for tighter encapsulation.
- Avoid `ObjectInputStream.readObject()` with untrusted data — use JSON or Protobuf deserialization with an explicit type allowlist instead.
- Log security-relevant events (login attempts, permission checks, admin actions) with a dedicated audit logger that writes to an append-only sink.
- Use Grails' CSRF protection (`useToken: true`) and XSS prevention (`encodeAs: 'HTML'`) directives in all GSP templates.