With the blacklisting of getAt in SECURITY-538, this also also broken my ability to access arbitrary environment variables from the env global variable (by doing env['varname'] or similar).  I understand why getAt is blacklisted and the implications is has on other types, however I'm not sure those cases apply to the environment variable list.

I found one work around is to whitelist method org.jenkinsci.plugins.workflow.support.actions.EnvironmentAction getEnvironment, which then requires the variable to be accessed as env.getEnvironment().get(varname). Is is possible to whitelist getAt for the env object but not anything else? I'm inclined to think so since it's done for integer access and string indexing but aren't sure what the whitelist method would be.