Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25348

Multiple copies of groovy-sandbox jar compromises security

    Details

    • Similar Issues:

      Description

      XMLEscapingTemplateEngine compiles a script with uberClassLoader. When SandboxTransformer runs and generates all sorts of references to Checker.checkedCall(...) and etc., these symbolic references are resolved against uberClassLoader.

      If another plugin happens to have groovy-sandbox.jar (like email-ext plugin does), then these calls will resolve against that, which means none of the interceptor will be invoked.

      script security plugin needs to set a custom parent classloader so that references to groovy-sandbox will always be resolved to the one visible from script-security.

        Attachments

          Activity

            People

            • Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              kohsuke Kohsuke Kawaguchi
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: