-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
Jenkins 2.46, Script Security Plugin 1.26
-
-
script-security 1218.v39ca_7f7ed0a_c
Since hudson.scm.EditType implementation has not changed in the last 10 years, I think either the white listing never ever worked, or (less likely?) the white listing syntax changed and in the past there was no differentiation between static and non-static fields.
Anyway, could you please change the following in "org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/jenkins-whitelist":
- From old:
field hudson.scm.EditType ADD field hudson.scm.EditType DELETE field hudson.scm.EditType EDIT
- => New:
staticField hudson.scm.EditType ADD staticField hudson.scm.EditType DELETE staticField hudson.scm.EditType EDIT
- is related to
-
JENKINS-30412 Access to build's own changelog from script
-
- Resolved
-
- links to
[JENKINS-42214] Field entries for hudson.scm.EditType fields in "jenkins-whitelist" must be static
Reinhold Füreder
created issue -
Reinhold Füreder
made changes -
| Assignee | New: Jesse Glick [ jglick ] |
The whitelist validation code must have been buggy to accept this to begin with, so a proper fix involves code changes.
| Assignee | Original: Jesse Glick [ jglick ] |
Reinhold Füreder
added a comment - Well, I claim that the current entries are just wrong then. And since I am actually needing and actively using such static field whitelist entries in other contexts (e.g. "staticField hudson.model.Result FAILURE", cf. JENKINS-35352) with success, I was pretty confident that this would help here as well...
Reinhold Füreder
added a comment - Well, I claim that the current entries are just wrong then. And since I am actually needing and actively using such static field whitelist entries in other contexts (e.g. " staticField hudson.model.Result FAILURE ", cf. JENKINS-35352 ) with success, I was pretty confident that this would help here as well... I claim that the current entries are just wrong
I was not disputing that, only pointing out that the proper fix also involves fixing MethodSignature.exists so that no such mistake could happen again.
Reinhold Füreder
added a comment - Oh, okay, I am sorry for my misunderstanding and must admit that your approach (fixing MethodSignature.exists so that no such mistake could happen again) is the right one...
Reinhold Füreder
added a comment - Oh, okay, I am sorry for my misunderstanding and must admit that your approach ( fixing MethodSignature.exists so that no such mistake could happen again ) is the right one... Reinhold Füreder
made changes -
| Link |
New:
This issue is related to |
Ah…I am already checking static in MethodSignature and StaticMethodSignature, but not FieldSignature or StaticFieldSignature.
I apologize for the direct assignment to you, Jesse, but I dared to do that, because (a) you seem to be the official maintainer of the plugin (see https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin) and (b) I hope this is a low hanging fruit