Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28586

Method access/properties inside Closure

XMLWordPrintable

      Consider a closure attempts to call methods/properties like the following:

      class Foo { def foo() {} }
def c = { -> foo(); }
c.delegate = new Foo();
c();

      script-security currently tries to check the access at GroovyObject.invokeMethod. For example, the above would be rejected like this:

      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (Script1$_run_closure1 foo)

      This is hardly useful, because GroovyObject.invokeMethod is too generic to whitelist. It's much more sensible to figure out where this call is actually handled (in this case Foo.foo, then check the access of the target (in the case above this would have been allowed via ClassLoaderWhitelist)

          [JENKINS-28586] Method access/properties inside Closure

          Kohsuke Kawaguchi created issue -
          Kohsuke Kawaguchi made changes -
          Link New: This issue is related to JENKINS-28587 [ JENKINS-28587 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "PR 13 (Web Link)" [ 12919 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 163432 ] New: JNJira + In-Review [ 197197 ]

            kohsuke Kohsuke Kawaguchi
            kohsuke Kohsuke Kawaguchi
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: