[JENKINS-63171] Add more generic whitelist entries #304
Conversation
| @@ -642,6 +642,7 @@ staticMethod org.codehaus.groovy.runtime.DateGroovyMethods upto java.util.Calend | |||
| staticMethod org.codehaus.groovy.runtime.DateGroovyMethods upto java.util.Date java.util.Date groovy.lang.Closure | |||
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods abs java.lang.Number | |||
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods addAll java.util.Collection java.lang.Object[] | |||
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods and java.lang.Boolean java.lang.Boolean | |||
There was a problem hiding this comment.
| @@ -965,7 +966,9 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods take java.util.Lis | |||
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods takeRight java.lang.Iterable int | |||
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods takeRight java.util.List int | |||
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods times java.lang.Number groovy.lang.Closure | |||
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toBoolean java.lang.Boolean | |||
There was a problem hiding this comment.
Looks like this method is @Deprecated and delegates to StringGroovyMethods.toBoolean(String), so I would also add that method at the same time. The implementation is safe, although a bit weird (special cases for "y" and "1"): https://github.com/apache/groovy/blob/731d4daa78b9cd32bea724d2d651aa1164eef6cc/src/main/org/codehaus/groovy/runtime/StringGroovyMethods.java#L3240-L3248
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toBoolean java.lang.String | ||
| staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toDouble java.lang.String |
There was a problem hiding this comment.
Ditto, this method is @Deprecated and delegates to StringGroovyMethods.toDouble(CharSequence), so I would add that method at the same time. The implementation looks safe: https://github.com/apache/groovy/blob/731d4daa78b9cd32bea724d2d651aa1164eef6cc/src/main/org/codehaus/groovy/runtime/StringGroovyMethods.java#L3270-L3272
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
Outdated
Show resolved
Hide resolved
| staticMethod org.codehaus.groovy.runtime.StringGroovyMethods toInteger java.lang.CharSequence | ||
| staticMethod org.codehaus.groovy.runtime.StringGroovyMethods toInteger java.lang.String |
There was a problem hiding this comment.
Ok one last thing, but DefaultGroovyMethods.toInteger(String) (which is deprecated) is (I think) the method that SandboxInterceptor will actually think you are calling if you write something like "123".toInteger(), so you probably need to add that one too. Regular Groovy does not consider deprecated methods when selecting extension methods, so I asked you to add the non-deprecated StringGroovyMethods equivalents in case we ever fix that bug 😅
There was a problem hiding this comment.
I still have that in the file, don't I?
There was a problem hiding this comment.
Ah, I missed that it was already present before your changes, so yeah it should be fine as-is.
https://issues.jenkins-ci.org/browse/JENKINS-63171