So, I'm implementing an application scripting interface with groovy and their are some fairly strict security requirements.
At compile time, we use the SecureASTCustomizer with a long list of white and black list and expression checkers to make sure that there is nothing we don't want compiled in the first place.
But, the compiled script is stored in a persistent store that could be theoretically modified.
So we want to check the compiled script before we execute it. Right now we handle that with an instance of MetaClassCreationHandle which returns a custom MetaClassImpl that checks each pass through invokeMethod.
This causes some performance overhead though.
When the script is instantiated it sets "Script".$callSiteArray to the result of invokestatic "Script".$getCallSiteArray().
Is there a way i can call that method myself, or make the constructed call site array available to me such that i can poke through it and do the same sort of checks? or is there not enough information in the groovy CallSites?
Groovy version is (unfortunately) fixed at 2.1.6