Groovy Sandbox doesn't allow to delegate class instance to closure in shared library

[Dmitry Karanfilov]

Hi, 

Why I'm getting:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object

when built-in steps are used inside closure for a global variable when closure.delegate = instance of class?

Please check the example bellow:

In shared library I have file vars/buildPlugin.groovy

def call(body) {
    def config = new Dsl()
    body.resolveStrategy = Closure.DELEGATE_FIRST
    body.delegate = config
    body()

    echo "Name set by closure: ${config.name}"
}

class Dsl {
    def name
}

and here is how it is using in Jenkinsfile (or pipeline script):

@Library('library.name') _

buildPlugin {
    name = 'name_from_Jenkinsfile'

    echo "Name from Jenkinsfile: ${name}"
}

This causes error: 

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (Dsl echo org.codehaus.groovy.runtime.GStringImpl)

However if I change the delegate to be the Map everything works as expected:

def call(body) {
    def config = [:]
    // def config = new Dsl()
    body.resolveStrategy = Closure.DELEGATE_FIRST
    body.delegate = config
    body()

    echo "Name set by closure ${config.name}"
}

class Dsl {
    def name
}

For what it's worth - If I uncheck Use Groovy Sandbox checkbox in pipeline job config I don't have RejectedAccessException even when config is instance of Dsl().

I know that I can just approve this signature but unlikely it is a right way to go.

I will be grateful for any help/hint.