[JIRA] (JENKINS-37012) Default groovy methods should be approved by default

5 views

Skip to first unread message

tnaroska@adobe.com (JIRA)

unread,

Jul 27, 2016, 5:03:01 PM7/27/16

to jenkinsc...@googlegroups.com

Timo Naroska created an issue

Jenkins /

JENKINS-37012

Default groovy methods should be approved by default

Issue Type:	Improvement
Assignee:	Jesse Glick
Components:	workflow-plugin
Created:	2016/Jul/27 9:02 PM
Environment:	Jenkins ver. 1.655, Pipeline plugin 2.1
Priority:	Minor
Reporter:	Timo Naroska

By default, script approval requires explicit approval of a lot of standard groovy methods. e.g. the ones defined here:DefaultGroovyMethods. These are very basic operations for type conversions and collection handling. Nothing security relevant.
These functions should be whitelisted by ScriptApproval out of the box.

Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

josh@hoblitt.com (JIRA)

unread,

Aug 9, 2016, 12:33:01 PM8/9/16

to jenkinsc...@googlegroups.com

Joshua Hoblitt commented on

JENKINS-37012

Re: Default groovy methods should be approved by default

I agree that the whitelist should be more expansive or, if there is a security implication, a "safe" alternative should be provided for basic operations. The current state is that even checking for the existence of a job parameter requires admin approval.

 
                                                                getBinding().hasVariable("PRODUCT")

 
                                                                org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.Binding hasVariable java.lang.String
	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:176)
...