-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Minor
-
Component/s: script-security-plugin
-
None
-
Environment:Jenkins 2.190.1
Script Security plugin 1.71
Try executing this pipeline:
def o = readJSON text: '{"foo": "bar"}' for (entry in o) { echo entry.class.toString() echo "$entry.key -> $entry.value" }
The output is:
class org.apache.commons.collections.map.ListOrderedMap$ListOrderedMapEntry Scripts not permitted to use method org.apache.commons.collections.KeyValue getKey. Administrators can decide whether to approve or reject this signature.
The reason for that is that readJSON returns a net.sf.json.JSONObject, whose entry class is org.apache.commons.collections.map.ListOrderedMap.ListOrderedMapEntry, which implements org.apache.commons.collections.KeyValue, whose members are not whitelisted.
It would be nice if you could do at least one of these:
1. Whitelist org.apache.commons.collections.KeyValue getKey and getValue.
2. Make it so that the existing whitelist entries for java.util.Map.Entry getKey and getValue also apply to org.apache.commons.collections.map.ListOrderedMap.ListOrderedMapEntry, which does implement java.utils.Map.Entry as well.