Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65563

Whitelist Groovy language methods to provide dynamism

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I would like to get the following signatures whitelisted so that some dynamic nature can be added to the pipeline shared library classes:

      1. new groovy.lang.Binding
      2. method groovy.lang.Binding getVariable java.lang.String
      3. method groovy.lang.Binding getVariables
      4. method groovy.lang.Binding removeVariable java.lang.String
      5. method groovy.lang.Binding setVariable java.lang.String java.lang.Object
      6. method groovy.lang.Script setBinding groovy.lang.Binding
      7. method groovy.lang.GroovyObject getProperty java.lang.String
      8. method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object

      I am assuming that signatures from 1 to 8 are safe from sandbox point of view. The Binding signatures (1 to 6) would allow a script to manipulate its own namespace, but it is not useful to break out of the sandbox. The signatures 7 and 8 would allow one to customize the Script/CpsScript implementations. Overriding these signature is already possible, but the overridden method is not allowed to delegate to the existing implementation (e.g., by calling super.getProperty()) and the above signatures are crucial to make these overrides actually useful and meaningful.

       

      I am not sure if it is OK to include setProperty to this list, but I would include for completeness it if it also safe.

        Attachments

          Activity

          Show
          haridsv Hari Dara added a comment - Link to the PR:  https://github.com/jenkinsci/script-security-plugin/pull/344
          Hide
          haridsv Hari Dara added a comment -

          Many of these signatures are quite unsafe to be whitelisted.

          Show
          haridsv Hari Dara added a comment - Many of these signatures are quite unsafe to be whitelisted.

            People

            Assignee:
            haridsv Hari Dara
            Reporter:
            haridsv Hari Dara
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: