Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25348

Multiple copies of groovy-sandbox jar compromises security

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      XMLEscapingTemplateEngine compiles a script with uberClassLoader. When SandboxTransformer runs and generates all sorts of references to Checker.checkedCall(...) and etc., these symbolic references are resolved against uberClassLoader.

      If another plugin happens to have groovy-sandbox.jar (like email-ext plugin does), then these calls will resolve against that, which means none of the interceptor will be invoked.

      script security plugin needs to set a custom parent classloader so that references to groovy-sandbox will always be resolved to the one visible from script-security.

        Attachments

          Activity

            People

            • Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              kohsuke Kohsuke Kawaguchi
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: