-
Improvement
-
Resolution: Fixed
-
Minor
It is a follow-up to the discussion in HOSTING-492 with casz . The plugin does not whitelist base classes, and it's high risk of regressions in API user plugins. E.g. see JENKINS-49699
> What to serialize? It is a complicated topic. Jenkins 2.102+ will reject serialization of classes over Remoting and XStream, so the rule would be the following:
- Every class plugin developers persist on the disk
- Every class plugin developers send over the channel to agents
> I would say that the most of the classes should be whitelisted by plugin developers, but the library could whitelist Kotlin base classes (like kotlin.collections.EmptyList in JENKINS-49699). You can find examples of whitelisted base classes for Java here: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/resources/jenkins/security/whitelisted-classes.txt
- relates to
-
JENKINS-49699 Doktor plugin affected by JEP-200
- Closed