[JIRA] (JENKINS-61952) Matcher.find() and Matcher.group(String) are no longer whitelisted

10 views
Skip to first unread message

dnusbaum@cloudbees.com (JIRA)

unread,
Apr 17, 2020, 3:09:02 PM4/17/20
to jenkinsc...@googlegroups.com
Devin Nusbaum created an issue
 
Jenkins / Bug JENKINS-61952
Matcher.find() and Matcher.group(String) are no longer whitelisted
Issue Type: Bug Bug
Assignee: Unassigned
Components: script-security-plugin
Created: 2020-04-17 19:08
Environment: Jenkins ver. 2.204.2
script-security-plugin 1.68
Priority: Minor Minor
Reporter: Devin Nusbaum

We have upgraded the plugin from 1.66 -> 1.68
Since version 1.68 method java.util.regex.Matcher find is not longer whitelisted:

https://github.com/jenkinsci/script-security-plugin/commit/d5e107b1bd780314bc13ebed401ab3b8a22ec9a4#diff-bd6a93804fc62863a4d7460e35733302

Was this made on purpose or all mentioned methods were removed by accident?

method java.util.regex.Matcher find
method java.util.regex.Matcher group java.lang.String

 

We had to manually approve mentioned methods on our production servers.

Could you please add mentioned methods to default approve list?
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

dnusbaum@cloudbees.com (JIRA)

unread,
Apr 17, 2020, 3:11:03 PM4/17/20
to jenkinsc...@googlegroups.com
Devin Nusbaum updated an issue
Change By: Devin Nusbaum
Originally reported by [~wolniewicz] in JENKINS-61575, but that issue appears to be broken so I cloned it here.
We have upgraded the plugin from 1.66 -> 1.68
Since version 1.68 method java.util.regex.Matcher find is not longer whitelisted:

[https://github.com/jenkinsci/script-security-plugin/commit/d5e107b1bd780314bc13ebed401ab3b8a22ec9a4#diff-bd6a93804fc62863a4d7460e35733302]

Was this made on purpose or all mentioned methods were removed by accident?
{code:java}

method java.util.regex.Matcher find
method java.util.regex.Matcher group java.lang.String
{code}

 

We had to manually approve mentioned methods on our production servers.

Could you please add mentioned methods to default approve list?

dnusbaum@cloudbees.com (JIRA)

unread,
Apr 17, 2020, 3:17:02 PM4/17/20
to jenkinsc...@googlegroups.com
Devin Nusbaum started work on Bug JENKINS-61952
 
Change By: Devin Nusbaum
Status: Open In Progress

dnusbaum@cloudbees.com (JIRA)

unread,
Apr 17, 2020, 3:17:02 PM4/17/20
to jenkinsc...@googlegroups.com
Devin Nusbaum assigned an issue to Devin Nusbaum
Change By: Devin Nusbaum
Assignee: Devin Nusbaum

dnusbaum@cloudbees.com (JIRA)

unread,
Apr 17, 2020, 3:17:03 PM4/17/20
to jenkinsc...@googlegroups.com
Change By: Devin Nusbaum
Status: In Progress Review

dnusbaum@cloudbees.com (JIRA)

unread,
Apr 20, 2020, 9:57:02 AM4/20/20
to jenkinsc...@googlegroups.com
Change By: Devin Nusbaum
Status: In Review Fixed but Unreleased
Resolution: Fixed
Reply all
Reply to author
Forward
0 new messages