-
Improvement
-
Resolution: Fixed
-
Major
-
None
Consider a closure attempts to call methods/properties like the following:
class Foo { def foo() {} }
def c = { -> foo(); }
c.delegate = new Foo();
c();
script-security currently tries to check the access at GroovyObject.invokeMethod. For example, the above would be rejected like this:
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (Script1$_run_closure1 foo)
This is hardly useful, because GroovyObject.invokeMethod is too generic to whitelist. It's much more sensible to figure out where this call is actually handled (in this case Foo.foo, then check the access of the target (in the case above this would have been allowed via ClassLoaderWhitelist)
- is related to
-
-
- Open
-
- links to
[JENKINS-28586] Method access/properties inside Closure
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/ClosureSupport.java
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/5b4f6f915264ddcd1070cf44d0382f569316c4b0
Log:
JENKINS-28586 Figure out the target of Closure method call
To be able to use closures safely, figure out where closures are
forwarding method calls and property accesses, then check access at
that point.
Ideally, a logic like this should live in its own Whitelist, something
like ClosureWhitelist for better readability. But as it stands now,
JENKINS-28586 prevents me from doing that.
Compare: https://github.com/jenkinsci/script-security-plugin/compare/662ded007f1a^...5b4f6f915264
After thinking some more, I changed my mind and now I'm attempting to fix this in groovy-sandbox.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/ClosureSupport.java
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/c17e874435b802b6400a53a418e83cbad77e75ce
Log:
Revert "JENKINS-28586 Figure out the target of Closure method call"
This reverts commit 5b4f6f915264ddcd1070cf44d0382f569316c4b0.
After thinking about this some more, now I'm moving the fix into
groovy-sandbox.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
pom.xml
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/a254c78054533fbf330863bcc9f10935ff07440a
Log:
JENKINS-28586 Integrated groovy-sandbox that has the fix.
Compare: https://github.com/jenkinsci/script-security-plugin/compare/5b4f6f915264...a254c7805453
Code changed in jenkins
User: Jesse Glick
Path:
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/e7f8fa895cd3d69fe02ef89714bb09c4ef0fb15f
Log:
JENKINS-25119 Cleaning up test from #7.
Also noting a closure bug perhaps related to JENKINS-28586: `it` does not work.
Code changed in jenkins
User: Jesse Glick
Path:
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/c5cb52160a7a6296e6f9aee660d547abb18bb67d
Log:
Merge branch 'JENKINS-25119-addendum' into JENKINS-28586
Compare: https://github.com/jenkinsci/script-security-plugin/compare/6d46df1cf867...c5cb52160a7a
Code changed in jenkins
User: Jesse Glick
Path:
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
http://jenkins-ci.org/commit/script-security-plugin/4766322f7de98cbc7feadd6504e4dc73469eff03
Log:
Merge branch 'misc-whitelists' into JENKINS-28586
Compare: https://github.com/jenkinsci/script-security-plugin/compare/15509b51f02e...4766322f7de9
Code changed in jenkins
User: Jesse Glick
Path:
http://jenkins-ci.org/commit/script-security-plugin/b924d4af32075a720fda5c94af56255e81cd1830
Log:
Merge branch 'master' into JENKINS-28586
Compare: https://github.com/jenkinsci/script-security-plugin/compare/521a7af4dc91...b924d4af3207
Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/50240737226721be75e913a70c5ad289975942cd
Log:
Merge pull request #13 from jenkinsci/JENKINS-28586
[FIXED JENKINS-28586] handle method calls/property accesses via closure
Compare: https://github.com/jenkinsci/script-security-plugin/compare/c6d43e762aa8...502407372267
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/662ded007f1adc146190f7b94ab6be7487edd877
Log:
JENKINS-28586A test case as the baseline.