-
Bug
-
Resolution: Unresolved
-
Minor
-
None
In-process Script Approval doc says
'''
Consider a script which accesses the method hudson.model.AbstractItem.getParent(), which by itself is harmless and will return an object containing either the folder or root item which contains the currently executing Pipeline or Job. Following that method invocation, executing hudson.model.ItemGroup.getItems(), which will list items in the folder or root item, requires the Job/Read permission.
'''
getParent() is a method in AbstractItem class. The only way to get an Item object that I know is through Jenkins.instance.getItemByFullName() which is of course blacklisted.
Isn't it invalid to say getItems() is dangerous to run when the access to it already requires an access to Jenkins.instance? It's as if we're being told not to play with the dangerous scissors that's inside a burning house.
Or is there a way to get an Item safely?
[JENKINS-67601] Is the example in "In-process Script Approval" document valid?
Calvin Park
created issue -
| Component/s | New: core [ 15593 ] | |
| Component/s | New: script-security-plugin [ 18520 ] | |
| Component/s | Original: core [ 21134 ] | |
| Key | Original: INFRA-2833 | New: JENKINS-67601 |
| Workflow | Original: classic default workflow [ 247143 ] | New: JNJira + In-Review [ 251810 ] |
| Project | Original: Infrastructure [ 10301 ] | New: Jenkins [ 10172 ] |
| Comment |
[ For your information, [all INFRA issues|https://issues.jenkins.io/projects/INFRA/issues/] related to the [Jenkins Infrastructure project|https://www.jenkins.io/projects/infrastructure/] have been transferred to Github: https://github.com/jenkins-infra/helpdesk/issues Here is the direct link to this issue in Github: https://github.com/jenkins-infra/helpdesk/issues/2397 And here is the link to a search for related issues: https://github.com/jenkins-infra/helpdesk/issues?q=%22INFRA-2833%22 (Note: this is an automated bulk comment) ] |
Admin note: moving this issue to the correct issue tracker (JENKINS instead of INFRA).