Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28586

Method access/properties inside Closure

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      Consider a closure attempts to call methods/properties like the following:

      class Foo { def foo() {} }
      def c = { -> foo(); }
      c.delegate = new Foo();
      c();
      

      script-security currently tries to check the access at GroovyObject.invokeMethod. For example, the above would be rejected like this:

      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (Script1$_run_closure1 foo)
      

      This is hardly useful, because GroovyObject.invokeMethod is too generic to whitelist. It's much more sensible to figure out where this call is actually handled (in this case Foo.foo, then check the access of the target (in the case above this would have been allowed via ClassLoaderWhitelist)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                kohsuke Kohsuke Kawaguchi
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: