-
Improvement
-
Resolution: Fixed
-
Minor
-
None
Grabbing either a character or a substring from a String doesn't work out of the box:
echo 'foobar'[0] org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.lang.String int
echo 'foobar'[3..5] echo 'foobar'[3..-1] org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter createRange java.lang.Object java.lang.Object boolean
Certainly the first one doesn't look dangerous, and the second is presumably harmless, but I don't know for sure whether whitelisting it has other implications beyond this simple use case.
- relates to
-
JENKINS-29541 workflow scripts can't use String.substring(int,int)
-
- Resolved
-
-
-
- Resolved
-
[JENKINS-42618] Cannot use String index or range in sandboxed scripts
Code changed in jenkins
User: Christopher Orr
Path:
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
http://jenkins-ci.org/commit/script-security-plugin/7a1e0e0972eadfd1d839378d156a6679fba65e79
Log:
[FIX JENKINS-42618] Add generic whitelist entry for String.getAt(int).
Used by, for example: 'foobar'[0]
Code changed in jenkins
User: Jesse Glick
Path:
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
http://jenkins-ci.org/commit/script-security-plugin/2724ab38a2cc0626f7da039f8857df58856588bb
Log:
Merge pull request #111 from orrc/master
[FIX JENKINS-42618] Add generic whitelist entry for String.getAt(int).
Compare: https://github.com/jenkinsci/script-security-plugin/compare/48c3dbb95150...2724ab38a2cc
Ah, sorry… this has been sitting on my TODO list for too long — the second item was fixed in a recent release.
I added a whitelist entry for the first item: https://github.com/jenkinsci/script-security-plugin/pull/111