GroovyEngine.execute cause an OOM exception

[sirnple]

version: 3.24.1

Reproduced code:

public void executeFuzzerTest() {
        try {
            GroovyEngine groovyEngine = new GroovyEngine();
            Object result = groovyEngine.execute("/\n/*777777777777777777777777777777");
        } catch (Exception e) {
        }
}

[carnil]

This seems to have a CVE assigned: CVE-2023-50572

[atulajoshi24]

I tested this on latest version 3.25.0 , but the programme goes into infinite loop with no termination. It keeps on executing indefinitely. Tested on Open JDK 17

[mattirn]

The method GroovyEngine.execute(...) is used by JLine groovy REPL demo application to evaluate groovy/java statements. In underneath the method uses groovy.lang.GroovyShell.evaluate(...) method which will throw OOM exception when passing the statement above as a parameter, see the output when it is executed on Groovy shell:

I have not seen the executeFuzzerTest() enter into infinite loop but as you can enter an arbitrary groovy/java statement to the GroovyEngine.execute(...) method you can easily create also infinite loop groovyEngine.execute("while (true) {}").

When I tried to executeFuzzerTest() on groovy REPL demo application I found an other OOM exception when trying to display the execution result that is fixed on commit f3c60a3 .

The method GroovyEngine.execute(...) works as designed.