Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67601

Is the example in "In-process Script Approval" document valid?


      In-process Script Approval doc says


      Consider a script which accesses the method hudson.model.AbstractItem.getParent(), which by itself is harmless and will return an object containing either the folder or root item which contains the currently executing Pipeline or Job. Following that method invocation, executing hudson.model.ItemGroup.getItems(), which will list items in the folder or root item, requires the Job/Read permission.


      getParent() is a method in AbstractItem class. The only way to get an Item object that I know is through Jenkins.instance.getItemByFullName() which is of course blacklisted.

      Isn't it invalid to say getItems() is dangerous to run when the access to it already requires an access to Jenkins.instance? It's as if we're being told not to play with the dangerous scissors that's inside a burning house.

      Or is there a way to get an Item safely?

            Unassigned Unassigned
            calvinpark Calvin Park
            0 Vote for this issue
            3 Start watching this issue