Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42618

Cannot use String index or range in sandboxed scripts

    XMLWordPrintable

Details

    Description

      Grabbing either a character or a substring from a String doesn't work out of the box:

      echo 'foobar'[0]
      
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.lang.String int
      
      echo 'foobar'[3..5]
      echo 'foobar'[3..-1]
      
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter createRange java.lang.Object java.lang.Object boolean
      

      Certainly the first one doesn't look dangerous, and the second is presumably harmless, but I don't know for sure whether whitelisting it has other implications beyond this simple use case.

      Attachments

        Issue Links

          Activity

            Ah, sorry… this has been sitting on my TODO list for too long — the second item was fixed in a recent release.

            I added a whitelist entry for the first item: https://github.com/jenkinsci/script-security-plugin/pull/111

            orrc Christopher Orr added a comment - Ah, sorry… this has been sitting on my TODO list for too long — the second item was fixed in a recent release. I added a whitelist entry for the first item:  https://github.com/jenkinsci/script-security-plugin/pull/111

            Code changed in jenkins
            User: Christopher Orr
            Path:
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
            http://jenkins-ci.org/commit/script-security-plugin/7a1e0e0972eadfd1d839378d156a6679fba65e79
            Log:
            [FIX JENKINS-42618] Add generic whitelist entry for String.getAt(int).

            Used by, for example: 'foobar'[0]

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Christopher Orr Path: src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist http://jenkins-ci.org/commit/script-security-plugin/7a1e0e0972eadfd1d839378d156a6679fba65e79 Log: [FIX JENKINS-42618] Add generic whitelist entry for String.getAt(int). Used by, for example: 'foobar' [0]

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
            http://jenkins-ci.org/commit/script-security-plugin/2724ab38a2cc0626f7da039f8857df58856588bb
            Log:
            Merge pull request #111 from orrc/master

            [FIX JENKINS-42618] Add generic whitelist entry for String.getAt(int).

            Compare: https://github.com/jenkinsci/script-security-plugin/compare/48c3dbb95150...2724ab38a2cc

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist http://jenkins-ci.org/commit/script-security-plugin/2724ab38a2cc0626f7da039f8857df58856588bb Log: Merge pull request #111 from orrc/master [FIX JENKINS-42618] Add generic whitelist entry for String.getAt(int). Compare: https://github.com/jenkinsci/script-security-plugin/compare/48c3dbb95150...2724ab38a2cc

            People

              Unassigned Unassigned
              orrc Christopher Orr
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: