Add support for allow methods from logbackCompiler.groovy

[csaltos]

Good morning Tucker !!

Thank you very much for logback-groovy-config, it goves oxygen to old Logback based projects using Groovy to upgrade.

I'm trying to activate our logback.groovy file configuration and we have tons of method calls, actually that's why we use logback.groovy instead of logback.xml for configuring our applications but, as you know, the new security based on SecureASTCustomizer does not allow method calls by default.

Some overriding can be done for imports and a couple of other pieces by nothing else, may the option to add a methodDefinitionAllowed at the logbackCompiler.groovy could be reasonable.

All this paranoia is coming from the Log4J drama and I think all this effort to keep Logback based on Groovy configuration secure is a great idea.

Please let me know your thought about it and if it's reasonable to open method calls overrides for users at their own risk, of course.

Best regards,

Carlos Saltos

[virtualdogbert]

Sorry, I haven't gotten back to you. I would have to think through potential implications, before opening up methodDefinitionAllowed and I don't think I'm going to have a lot of time to do that in the near future. What I would be worried about are any potential conflicts with the ScriptExpressionChecker, which is not user configurable, for security reasons of what Groovy can do with String and Object.

If you have a more immediate need, you may want to fork this library and build your own version for now.

[csaltos]

Thank you for your answer !!

Yes, I agree with you, a change to the `methodDefinitionAllowed would open security risks unnecessarily ... let's hope some day we can find an secure way to do this with Groovy ... in the meantime we create a workaround just using normal static code in our configuration.

Once again thank you very much for your project and your code, it's really cool and useful.

Best regards,

Carlos Saltos