Although you are required to have RUN_SCRIPTS to push anything to workflowLibs, the code is run under the same sandbox settings as the main Pipeline scripts. In the case of a Pipeline script using whole-script approval, it makes sense to be checking RUN_SCRIPTS for libraries. But in the case of Pipeline scripts configured to use the Groovy sandbox, the workflowLibs code is also run in the sandbox—a pointless restriction, since only a trusted user could have written that code. You would expect that the library code would be trusted and run in a privileged mode, so it could safely encapsulate otherwise unsafe method calls.

          [JENKINS-34650] Allow global libraries to bypass the sandbox

          Jesse Glick added a comment -

          JENKINS-26538 requests the converse, in a sense: libraries that regular users could upload but which could not run unsafe methods.

          Jesse Glick added a comment - JENKINS-26538 requests the converse, in a sense: libraries that regular users could upload but which could not run unsafe methods.

          I'm going to work on this in the context of https://github.com/cloudbees/groovy-cps/pull/36

          Kohsuke Kawaguchi added a comment - I'm going to work on this in the context of https://github.com/cloudbees/groovy-cps/pull/36

          This is the entry point into this series of changes

          Kohsuke Kawaguchi added a comment - This is the entry point into this series of changes

          Code changed in jenkins
          User: Jesse Glick
          Path:
          doc/classloader.md
          pom.xml
          src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java
          src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowExecution.java
          src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java
          src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java
          src/main/java/org/jenkinsci/plugins/workflow/cps/GroovyClassLoaderWhitelist.java
          src/main/java/org/jenkinsci/plugins/workflow/cps/GroovyShellDecorator.java
          src/main/java/org/jenkinsci/plugins/workflow/cps/SandboxContinuable.java
          src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowExecutionTest.java
          src/test/resources/trusted/foo.groovy
          http://jenkins-ci.org/commit/workflow-cps-plugin/3a380e7b6905007f3612b57f67d1a2dcd67b9614
          Log:
          Merge pull request #33 from jenkinsci/trusted-classloader

          JENKINS-34650 Added a trusted classloader that runs CPS code outside sandbox

          Compare: https://github.com/jenkinsci/workflow-cps-plugin/compare/da3757932771...3a380e7b6905

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: doc/classloader.md pom.xml src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowExecution.java src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java src/main/java/org/jenkinsci/plugins/workflow/cps/GroovyClassLoaderWhitelist.java src/main/java/org/jenkinsci/plugins/workflow/cps/GroovyShellDecorator.java src/main/java/org/jenkinsci/plugins/workflow/cps/SandboxContinuable.java src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowExecutionTest.java src/test/resources/trusted/foo.groovy http://jenkins-ci.org/commit/workflow-cps-plugin/3a380e7b6905007f3612b57f67d1a2dcd67b9614 Log: Merge pull request #33 from jenkinsci/trusted-classloader JENKINS-34650 Added a trusted classloader that runs CPS code outside sandbox Compare: https://github.com/jenkinsci/workflow-cps-plugin/compare/da3757932771...3a380e7b6905

          Code changed in jenkins
          User: Jesse Glick
          Path:
          pom.xml
          src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java
          src/main/java/org/jenkinsci/plugins/docker/workflow/ImageNameTokens.java
          http://jenkins-ci.org/commit/docker-workflow-plugin/abe4066b6b4eb1af3e922897add192df4e0294ef
          Log:
          JENKINS-32731 JENKINS-34650 Docker.groovy is already trusted.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java src/main/java/org/jenkinsci/plugins/docker/workflow/ImageNameTokens.java http://jenkins-ci.org/commit/docker-workflow-plugin/abe4066b6b4eb1af3e922897add192df4e0294ef Log: JENKINS-32731 JENKINS-34650 Docker.groovy is already trusted.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          pom.xml
          src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java
          src/main/java/org/jenkinsci/plugins/docker/workflow/ImageNameTokens.java
          src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy
          http://jenkins-ci.org/commit/docker-workflow-plugin/223612bc8378cc3e02cc6fecee1416c5bd533af9
          Log:
          Merge pull request #75 from jglick/GlobalVariable-JENKINS-32731

          JENKINS-32731 JENKINS-34650 Docker.groovy is already trusted

          Compare: https://github.com/jenkinsci/docker-workflow-plugin/compare/1f5f9d0147c4...223612bc8378

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java src/main/java/org/jenkinsci/plugins/docker/workflow/ImageNameTokens.java src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy http://jenkins-ci.org/commit/docker-workflow-plugin/223612bc8378cc3e02cc6fecee1416c5bd533af9 Log: Merge pull request #75 from jglick/GlobalVariable- JENKINS-32731 JENKINS-32731 JENKINS-34650 Docker.groovy is already trusted Compare: https://github.com/jenkinsci/docker-workflow-plugin/compare/1f5f9d0147c4...223612bc8378

            kohsuke Kohsuke Kawaguchi
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: