[JENKINS-50939] - Whitelist java.util.EnumSet

[marcosbento]

See JENKINS-50939, or see details here.

As suggested in https://jenkins.io/blog/2018/01/13/jep-200/, this merge request adds java.util.EnumMap to the whitelist (as it is "defined in the Java Platform"). Because no new feature is implemented, no autotests are provided.

Proposed changelog entries

• Whitelist java.util.EnumMap to prevent deserialization exception

Submitter checklist

• JIRA issue is well described
• Changelog entry appropriate for the audience affected by the change (users or developer, depending on the change). Examples
  * Use the Internal: prefix if the change has no user-visible impact (API, test frameworks, etc.)
• Appropriate autotests or explanation to why this change has no tests

[oleg-nenashev]

@marcosbento Actually you whitelist EnumSet, not EnumMap. Generally it looks good to me, but 2 comments:

• Could you please describe your use-case for it? Is it an open-source plugin? If yes, please reference the issue or commit
• Do you want it to be backported to Jenkins LTS? I'd guess so. If yes, we need a Jenkins JIRA ticket describing the issue and referencing this PR

Thanks in advance,

[marcosbento]

@oleg-nenashev yes, the goal is to whitelist java.util.EnumSet. Sorry for the typo.

This has impact on https://wiki.jenkins.io/display/JENKINS/PRQA+Plugin as reported directly reported by a customer (which didn't report a Jira issue). I've just reported the issue as https://issues.jenkins-ci.org/browse/JENKINS-50939.

Yes, it would be important to backport this to the Jenkins LTS.

[oleg-nenashev]

I am fine with that, let's see what @jglick says

[oleg-nenashev]

@marcosbento In any case, you can also add the type to the plugin's whitelist. In such case the class will be whitelisted for your users even before backporting

[jglick]

Fine if it works (and it is not SerializationProxy you need to whitelist).

You should really consider changing your plugin to serialize a simpler type, though, like Set<String>. The current deserialization logic notes that

// instead of cast to E, we should perhaps use elementType.cast()
// to avoid injection of forged stream, but it will slow the implementation

Not a security issue that I can see—you would just get a ClassCastException later—but from the perspective of plugin code being defensive about what it reads from disk, you are better off being explicit about the storage format rather than relying on magic.