-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More generic methods whitelisted #12
More generic methods whitelisted #12
Conversation
Thank you for a pull request! Please check this document for how the Jenkins project handles pull requests |
@jglick, can I start throwing more harmless methods in, or this really needs to be reviewed? |
method java.lang.String startsWith java.lang.String | ||
method java.lang.String replace java.lang.CharSequence java.lang.CharSequence | ||
method java.util.Collection contains java.lang.Object | ||
staticMethod java.lang.System getenv java.lang.String |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would not add getenv
as it could perhaps be used to steal secrets from the master. (Probably not, but seems suspicious.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found it in couple of our combination filters so I am interested in this one. It i imho impossible to keep the env-vars private if we allow master to run builds (even matrix parents). Perhaps it is not even necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we allow master to run builds
If you allow that, then you might as well disable security entirely.
It needs to be reviewed I think, but yes please go ahead and add more to the PR if you have the time. BTW JENKINS-25804. |
65a2261
to
a4f1e34
Compare
Removing |
👍, feel free to merge or continue. |
…sted More generic methods whitelisted
Whitelist some more prototypes I run into.