Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow import of Groovy code from the workspace #1078

Merged
merged 1 commit into from
Jan 16, 2018
Merged

allow import of Groovy code from the workspace #1078

merged 1 commit into from
Jan 16, 2018

Conversation

daspilker
Copy link
Member

... when script security sandbox is enabled

The idea is to add an URLClassLoader as parent for the SandboxResolvingClassLoader. The URLClassLoader is created with a single URL, the directory of the DSL script to execute or the root of the workspace for inline scripts. And the URLClassLoader will not resolve compiles classes (findClass throws ClassNotFoundException), but allows to read resources when the Item.WORKSPACE has been granted. This allows the GroovyClassLoader from GroovyShell to pick up Groovy source files. And since the compiler configuration contains the SandboxTransformer, those source files are subject to the sandbox.

@daniel-beck
Copy link
Member

@jglick PTAL.

jglick
jglick reviewed Oct 31, 2017
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not follow the details of the patch. I cannot think of any vulnerability introduced by the concept: so long as you can ensure that any classes loaded are processed in source form by the sandbox transformer, it should be safe.

@markgargan
Copy link

Any update on this being merged, it would be very useful?

@bozhaojiang
Copy link

Any update on when this will be released?

@daspilker daspilker merged commit 2cd30c8 into jenkinsci:master Jan 16, 2018
@daspilker daspilker deleted the script-loading branch January 16, 2018 19:39
@basil
Copy link
Member

basil commented Feb 2, 2018

Are there any plans to allow for external libraries to be used in Job DSL scripts when security is enabled (e.g. by supporting additionalClasspath when security is enabled)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick left review comments

@daniel-beck daniel-beck Awaiting requested review from daniel-beck

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
6 participants
@daspilker @daniel-beck @markgargan @bozhaojiang @basil @jglick