CHANGELOG.md

Changelog

From of version 1.77 see GitHub Releases

Version 1.76

Release date: 2021-02-01

• Improvement: Add the following to the default list of approved signatures (PR #308, PR #310):
  • All static methods and fields in java.lang.Math
  • All methods related to java.lang.StringBuilder and java.lang.StringBuffer
  • All methods related to java.lang.CharSequence and java.lang.String apart from String.intern()
  • All static methods and fields in java.nio.charset.Charset
  • All methods related to java.util.Base64, java.util.Base64.Decoder, and java.util.Base64.Encoder
• Internal: Update dependencies and parent POM (PR #311, PR #313, PR #314, PR #316, PR #317, PR #321, PR #323, PR #324, PR #326)

Version 1.75

Release date: 2020-09-23

• Fix sandbox bypass vulnerability
• Improvement: Add the following to the default list of approved signatures:
  • DefaultGroovyMethods.and(Boolean, Boolean)
  • DefaultGroovyMethods.toBoolean(Boolean)
  • DefaultGroovyMethods.toDouble(String)
  • StringGroovyMethods.toBoolean(String)
  • StringGroovyMethods.toDouble(CharSequence)
  • StringGroovyMethods.toDouble(String)
  • StringGroovyMethods.toInteger(CharSequence)
  • StringGroovyMethods.toInteger(String)

Version 1.74

Release date: 2020-06-30

• Improvement: On the Manage Jenkins page in Jenkins 2.226 and newer, display the link to the In-process Script Approval page under "Security" instead of "Uncategorized". (PR 302)
• Improvement: Add the following to the list of approved Jenkins-related signatures:
  • BallColor.getHtmlBaseColor
  • Result.color
  • Result.fromString(String)

Version 1.73

Release date: 2020-06-03

• Fix security vulnerability. (SECURITY-1866)

Version 1.72

Release date: 2020-05-11

• This plugin now requires Jenkins 2.176.4 or newer.
• Improvement: Add various methods to the default list of approved signatures: (JENKINS-61952, PR 242, PR 295, PR 296)
  • Remaining java.util.regex.Matcher methods
  • Methods related to java.time.Instant
  • Methods and fields defined on java.text.DateFormat
  • Most methods defined on java.text.Format
  • Methods and fields defined on java.util.Calendar
  • Boolean.booleanValue
  • Collection.containsAll(Collection)
  • List.indexOf(Object)
  • Various extension methods defined in DefaultGroovyMethods
• Improvement: Make SecureGroovyScript and ClasspathEntry serializable so that they can be used by Active Choices Plugin. (JENKINS-39742)
• Fix: Clear static field signatures correctly when signature approvals are reset. (PR 290)
• Internal: Update parent POM and minimum required Jenkins version to fix build errors when testing against new versions of Jenkins. (PR 293)
• Internal: Update caffeine dependency to 2.8.2. (PR 294)

Version 1.71

Release date: 2020-03-09

• Fix sandbox bypass vulnerability

Version 1.70

Release date: 2020-03-18

• Fix sandbox bypass vulnerability

Version 1.69

Release date: 2020-01-27

• Improvement: Add various methods to the default list of approved signatures: (PR 280, PR 281, PR 283)
  • All remaining static methods in the java.util.Collections class
  • Groovy's List.getAt(Collection) extension method
  • Groovy's List.transpose() extension method
  • Integer.parse(String, int)
  • All of the fields in the java.time.DayOfWeek enum
• Internal: Add better logging for issues encountered in tests, update test-scope dependencies. (PR 279, PR 284)

Version 1.68

Release date: 2019-11-21

• Fix sandbox bypass vulnerability

Version 1.67

Release date: 2019-11-13

• Fix: Remove approved signatures that did not correspond to real signatures. (PR 268)
• Improvement: Add the following to the default list of approved signatures:
  • Object[].getAt(IntRange)
  • All remaining methods in the java.util.regex package
  • Getters/setters on Date
  • Various extension methods defined in DateGroovyMethods
• Internal: Migrate Wiki content to GitHub. (PR 264)

Version 1.66

Release date: 2019-10-01

• JENKINS-59587 - Fix issue that caused a cache used by the class loader for sandboxed Groovy scripts to be cleared out by the garbage collector when it should not have been. This could lead to performance issues for complex sandboxed scripts.

Version 1.65

Release date: 2019-10-01

• Fix sandbox bypass vulnerability

Version 1.64

Release date: 2019-09-13

• JENKINS-57563 - Add support for configuring script approvals using Jenkins Configuration as Code Plugin.

Version 1.63

Release date: 2019-09-12

• Fix sandbox bypass security vulnerabilities

Version 1.62

Release date: 2019-07-31

• Fix sandbox bypass security vulnerabilities

Version 1.61

Release date: 2019-07-05

• JENKINS-56682 - Fix the use of script-level initializers in sandboxed Groovy scripts, which was a regression from version 1.54.
• JENKINS-47430 - Replace Guava cache used in for sandbox class loading with Caffeine to fix some performance issues and deadlocks.
• Add the following methods to the default list of approved signatures:
  • Number.times(Closure)
  • new PrintWriter(Writer)
  • Reader.read()
  • Reader.read(char[])
  • Reader.read(char[], int, int)
  • Reader.reset()
  • Reader.skip(long)
  • Writer.write(char[])
  • Writer.write(char[], int, int)
  • Writer.write(int)
  • Writer.write(String)
  • Writer.write(String, int, int)
  • Appendable.append(char)
  • Appendable.append(CharSequence)
  • Appendable.append(CharSequence, int, int)
  • AutoCloseable.close()
  • Flushable.flush()
  • new LinkedHashSet()
  • List.add(int, Object)
  • Matcher.find()
  • DefaultGroovyMethods.getAt(Object[], Range)
  • DefaultGroovyMethods.reverse(List)

Version 1.60

Release date: 2019-05-31

• SandboxResolvingClassLoader.parentClassCache could leak loaders in a different way (PR 253)

Version 1.59

Release date: 2019-04-18

• SandboxResolvingClassLoader.parentClassCache could leak loaders (PR 252) 
• JENKINS-57299 - Add the following methods to the default list of approved signatures:
  • DefaultGroovyMethods.drop(Iterable, int)
  • DefaultGroovyMethods.drop(List, int)
  • DefaultGroovyMethods.dropRight(Iterable, int)
  • DefaultGroovyMethods.dropRight(List, int)
  • DefaultGroovyMethods.take(List, int)
  • DefaultGroovyMethods.takeRight(Iterable, int)
  • DefaultGroovyMethods.takeRight(List, int)

Version 1.58

Release date: 2019-04-18

• Always block System.exit(int) , Runtime#halt(int) , and Runtime#exit(int) 
• JENKINS-34973 - Add script approvals from within try/catch  blocks.

Version 1.57

Release date: 2019-04-11

• Add the following methods to the default list of approved signatures:
  • Map.getOrDefault(Object, Object)
  • Map.putIfAbsent(Object, Object)
  • Map.replace(Object, Object)
  • Map.replace(Object, Object, Object)

Version 1.56

Release date: 2019-03-25

• Fix security issue

Version 1.55

Release date: 2019-03-18

• JENKINS-55303 - Internal: Update tests and test-scope dependencies so that the plugin can build with all tests passing on Java 11.

Version 1.54

Release date: 2019-03-06

• Fix security issue

Version 1.53

Release date: 2019-02-19

• Fix security issue

Version 1.52

Release date: 2019-02-13

• Add the following methods to the default list of approved signatures:
  • DateTimeFormatter.ofPattern(String)
  • Iterable.take(int)
  • List.subList(int, int)

Version 1.51

Release date: 2019-01-28

• Fix security issue

Version 1.50

Release date: 2019-01-08

• Fix security vulnerability

Version 1.49

Release date: 2018-11-30

• Make sure expensive log lines are only created if the appropriate logging level is enabled (PR #232)

• Add the following methods to the default list of approved signatures:

  • String#indexOf(int)
  • String#indexOf(int, int)
  • String#indexOf(String, int)
  • String#lastIndexOf(int)
  • String#lastIndexOf(int, int)
  • String#lastIndexOf(String, int)

Version 1.48

Release date: 2018-10-29

• Fix security issue

Version 1.47

Release date: 2018-10-17

• Add the following methods to the default list of approved signatures:
  • DefaultGroovyMethods#leftShift(Writer, Object)
  • Class#isInstance(Object)
  • Throwable#getCause()
  • Arrays#asList(Object[])
  • Matcher#group(String)
  • DefaultGroovyMethods#minus(List, Collection)
  • DefaultGroovyMethods#asBoolean(CharSequence)
  • Various methods in the java.time package
• Thanks, open source contributors TobiX, haridsv, kevinkjt2000!

Version 1.46

Release date: 2018-09-05

• JENKINS-53420 - Fix MissingPropertyException when executing Pipeline steps.

Version 1.45

Release date: 2018-09-04

• JENKINS-50843 - Allow calling Closure elements of a Map as methods.

• JENKINS-51332 - Add Calendar constants for days of the week and months (such as MONDAY and APRIL) to the default list of approved signatures.

• JENKINS-50906 - Allow this.foo() for closure variables.

• Downgrade logging level for message about slow class loading increase threshold from 250ms to 1s.

• Add the following methods to the default list of approved signatures:

  • DefaultGroovyMethods#addAll(Collection, Object[])
  • DefaultGroovyMethods#asImmutable(Map)
  • DefaultGroovyMethods#flatten(List)
  • DefaultGroovyMethods#getAt(List, Range)
  • DefaultGroovyMethods#subMap(Map, Object[])
  • DefaultGroovyMethods#subMap(Map, Collection)

Version 1.44

Release date: 2018-04-27

• Add DefaultGroovyMethods.toLong(String) to the default list of approved signatures.
• JENKINS-50470 - fix handling of ArrayList.someField to behave as a spread operation.
• JENKINS-46882 - Add new Exception(String) to the default list of approved signatures.

Version 1.43

Release date: 2018-03-28

• Add DefaultGroovyMethods.collate methods to the default list of approved signatures.
• JENKINS-50380 - Stop going through checkedCast process for objects that can be assigned to the target class and just return them instead.
• Add Collection#remove(int) and List#remove(int) to the default list of approved signatures.
• Add DefaultGroovyMethods for sort, toSorted, unique, max, min, and abs to the default list of approved signatures. Note that using these (other than abs) in Pipeline code will not work until JENKINS-44924 is resolved.
• Slightly improved error messages replacing unclassified ... for cases where we couldn't find a method, field, constructor, etc matching the signature.

Version 1.42

Release date: 2018-03-12

• JENKINS-45982 - Fix an issue with calling super for a CPS-transformed method.
• JENKINS-49542 - add Map#isEmpty() to the default list of approved signatures.
• Add DefaultGroovyMethods.multiply(String,Number), DefaultGroovyMethods.with(Object,Closure), Object#hashCode(), Objects.hash(Object[]), DefaultGroovyMethods.first(...), and DefaultGroovyMethods.last(...) to the default list of approved signatures.

Version 1.41

Release date: 2018-02-08

• Major improvement: greatly reduce time required to check whether signatures are approved for some implementations of Whitelist
• Major improvement: allow permission checks to multithread - elliminate lock contention with concurrent calls
• Improve UX for clearing dangerous signatures JENKINS-22660
• Add Integer.toString(int, int) to the default list of approved signatures
• Add DefaultGroovyMethods toListString and toMapString to the default list of approved signatures

Version 1.40

Release date: 2018-01-10

• Block System.getNanoTime() to prevent Spectre/Meltdown exploits.
• Add DefaultGroovyMethods#contains(Iterable,Object) to the default list of approved signatures.

Version 1.39

Release date: 2017-12-12

• JENKINS-48501 - Fix NPE regression caused by fix for JENKINS-48364 and JENKINS-46213.

Version 1.38

Release date: 2017-12-11

• JENKINS-46764 - Log useful message when scriptApproval.xml is malformed.
• JENKINS-48364 - Treat null first vararg param properly.
• JENKINS-46213 - Treat trailing array parameters as varargs when appropriate.

Version 1.37

Release date: 2017-12-11

• Fix security issue

Version 1.36

Release date: 2017-11-29

• JENKINS-47159, JENKINS-47893 - Fix two issues with varargs handling.
• Add more collection methods to the default list of approved signatures.
• Hide ScriptApproval link if there are no pending or approved signatures.
• Introduced support for SystemCommandLanguage

Version 1.35

Release date: 2017-11-02

• JENKINS-47758 -  New feature: plugins using the SecureGroovyScript.evaluate method are automatically protected against Groovy memory leaks (most plugins)

  • Notable plugin exceptions: email-ext, matrix-project, ontrack (may be covered by a later enhancement), job-dsl (needs a bespoke implementation) and splunk-devops plugins (can't cover - doesn't use enough script-security APIs)
  • Pipeline offered its own leak protection mechanism (this is based on that)

• JENKINS-35294 - VarArgs support for enums

• Add map.get, List, minus, padLeft and padRight to the default list of approved signatures (thanks to community contributions from Github users ryankillory, Ignition, and andrey-fomin !)

• JENKINS-47666 - Add math.max and math.min to the default list of approved signatures

• JENKINS-44557 - Properly cast GString (Groovy dynamic/templated string) in varargs

Version 1.34

Release date: 2017-09-05

• JENKINS-46391 - Properly handle ~/foo/ regexp declarations and some other Pattern methods.
• JENKINS-46358 - Add StringGroovyMethods including replaceAll, and findAll to the default list of approved signatures.

Version 1.33

Release date: 2017-08-16

• JENKINS-46088 Fix problems caused by double sandbox transformation of right-hand-side of declarations.
• JENKINS-33468 Allow use of it implicit closure parameter.
• JENKINS-45776 Better handling of scoping of closure local variables.
• JENKINS-46191 Fix compilation of empty declarations, such as String foo;, in sandbox.

Version 1.32

Release date: 2017-08-16

• Failed release due to repository permissions issues; replaced by 1.33.

Version 1.31

Release date: 2017-08-07

• Multiple security fixes

Version 1.30

Release date: 2017-07-25

Now requires Jenkins 2.7.x or later, i.e., versions of Jenkins running Groovy 2.x.

• Add signatures to the lists of approved and dangerous signatures.

• JENKINS-42563 Handling super calls to methods.

• Be explicit about classpath directory rejection reason.

• JENKINS-45117 Apply specificity comparisons to constructors, not just methods.

• JENKINS-37129 Throw a more helpful MissingMethodException rather than an “unclassified” error.

• Cleanup of math operations.

• JENKINS-34599 Allow final fields to be set.

• JENKINS-45629 Field initializers could produce a NullPointerException during script transformation.

Version 1.29.1

Release date: 2017-07-10

• Fix security issue

Version 1.29

Release date: 2017-06-15

• Add various signatures to the default list of approved signatures, particularly for DefaultGroovyMethods.

Version 1.28

Release date: 2017-06-05

• JENKINS-34741 Unclassified error when using Groovy struct constructors.

• Update the default list of approved signatures.

Version 1.27

Release date: 2017-02-27

• JENKINS-41797 Race condition could corrupt internal metadata used to check whether signatures are approved.
• JENKINS-39159 File handle leak when using custom script classpath could lead to unwanted locks on Windows or NFS.
• Update the default list of approved signatures.

Version 1.26

Release date: 2017-02-13

• Update the default list of approved signatures.

Version 1.25

Release date: 2017-01-03

• Update the lists of approved and dangerous signatures.
• Display a warning about previously approved signatures which are now in the list of dangerous signatures.

Version 1.24

Release date: 2016-10-20

• JENKINS-38908 Improper handling of some varargs methods.
• Update the default list of approved signatures.

Version 1.23

Release date: 2016-09-21

• Better report JENKINS-37599, a bug in core tickled by the Promoted Builds Plugin.
• Update the lists of approved and dangerous signatures.

Version 1.22

Release date: 2016-08-15

• Introduce a class loader caching layer for the Groovy sandbox to work around core performance limitations such as JENKINS-23784.
• JENKINS-37344 Add collection-related signatures to the default list of approved signatures.

Version 1.21

Release date: 2016-07-11

• Add build changelog-related signatures to the default list of approved Jenkins-related signatures (JENKINS-30412).

Version 1.20

Release date: 2016-06-20

• Update the default list of approved signatures.
• JENKINS-34739 Support for varargs methods.
• JENKINS-33023 enum initializer fixes.
• Add RunWrapper.getRawBuild to the list of dangerous signatures.

Version 1.19

Release date: 2016-04-26

• JENKINS-24399 Prohibit class directories from being approved classpath entries.
• JENKINS-33023 Support enum initializers.
• Permit metaclass methods to be run.
• Update the lists of approved and dangerous signatures.

Version 1.18.1

Release date: 2016-04-11

• Security release (CVE-2016-3102). advisory

Version 1.18

Release date: 2016-04-04

• Groovy prefers a getter/setter to a field access, so act accordingly, particularly when suggesting signatures to approve.
• JENKINS-27725 Various fixes to handling of GDK methods.
• Update the lists of approved and dangerous signatures.
• JENKINS-26481 Supporting fix to GDK method handling necessary to support calls such as Object.each(Closure) from groovy-cps Pipeline.

Version 1.17

Release date: 2016-01-25

• obj.prop should interpret boolean TheClass.isProp(), not just boolean TheClass.getProp().

Version 1.16

Release date: 2016-01-19

• Update the default list of approved signatures, including standard Groovy operators and GDK methods.
• JENKINS-30432 Warn about dangerous signatures.
• JENKINS-31234 Groovy allows Singleton.instance as an alias for Singleton.getInstance(); handled.
• JENKINS-31701 Misclassification of a method taking long and being passed an int.

Version 1.15

Release date: 2015-08-20

• Update the default list of approved signatures.
• Properly classify pseudofields of a Map.
• JENKINS-29541 Methods on a GString may really be called on a String.
• Corrected classification of methods ambiguous between GroovyDefaultMethods and invokeMethod.
• JENKINS-28586 Corrected handling of receivers inside a Closure.
• JENKINS-28154 Fixing handling of Groovy operators.

Version 1.14

Release date: 2015-04-22

• Better error message when you mistype a method name on a Groovy class.
• Default to using sandbox mode when the current user is not an administrator.

Version 1.13

Release date: 2015-02-02

• Testability fix only.

Version 1.12

Release date: 2014-12-04

• JENKINS-25914 Allow env in Pipeline plugins with a special implementation of Whitelist.
• Add Collection.contains to the default list of approved signatures.

Version 1.11

Release date: 2014-12-03

• Handling some more Groovy constructs, such as the =~ operator, and GDK methods like Iterable.join(String).

Version 1.10

Release date: 2014-11-14

• JENKINS-25524 Handle ambiguous method overloads better.

Version 1.9

Release date: 2014-11-04

• Code can escape sandbox if there are multiple copies of groovy-sandbox.jar in Jenkins (JENKINS-25348)

Version 1.8

Release date: 2014-10-29

• groovy-sandbox 1.8 has a few fixes.

Version 1.7

Release date: 2014-10-13

• JENKINS-25118 Handle methods with primitive arguments.

Version 1.6

Release date: 2014-10-02

• Handle GroovyObject.invokeMethod(String,Object) correctly during call site selecction.

Version 1.5

Release date: 2014-08-19

• JENKINS-22834 Added support for custom classpaths.

Version 1.4

Release date: 2014-06-08

• Do not bother enforcing whole-script approval when Jenkins is unsecured anyway.
• Some changes to make writing acceptance tests easier.

Version 1.3

Release date: 2014-05-13

• Fixing some regressions from 1.2.

Version 1.2

Release date: 2014-05-13

• Updated Groovy sandbox library for better language coverage.

Version 1.1

Release date: 2014-05-06

• Making it possible to use Groovy functions with def syntax.
• Added GroovySandbox.run so that methods defined in the script itself are always allowed.

Version 1.0

Release date: 2014-04-15

• String concatenation fix in sandbox.
• Preapprove the empty script.
• Support for static fields in sandbox.
• Changed package of AbstractWhitelist.

Version 1.0 beta 6

Release date: 2014-03-31

• Added SecureGroovyScript convenience class.

Version 1.0 beta 5

Release date: 2014-03-13

• Fixed various bugs in the Groovy sandbox.
• Added AbstractWhitelist.

Version 1.0 beta 4

Release date: 2014-03-12

• Refactored Whitelist to support GString and more

Version 1.0 beta 3

Release date: 2014-03-01

• Reverted GString fix for now

Version 1.0 beta 2

Release date: 2014-02-28

• @Whitelisted
• initialization bug fix
• Groovy GString fix

Version 1.0 beta 1

Release date: 2014-02-28

• Initial version.