SECURITY-2311

jenkinsci · Apr 19, 2021 · aed14be · aed14be
1 parent 20b19f3
commit aed14be
Show file tree

Hide file tree

Showing 11 changed files with 180 additions and 207 deletions.
diff --git a/Justfile b/Justfile
@@ -68,6 +68,53 @@ release version branch=`git branch --show-current`:
   # publish the JPI
   ./gradlew publish
 
+# when done with a branch in your fork, run `just finish` to delete the local/remote branch and resync with upstream
+finish:
+  #!/bin/bash
+
+  # make sure we arent deleting main or a release branch
+  current_branch=$(git rev-parse --abbrev-ref HEAD)
+  if [[ "${current_branch}" =~ (main|release/.*) ]]; then 
+    echo "you probably shouldn't delete ${current_branch}"
+    echo "this recipe is for feature branches on your fork"
+    exit 1
+  fi 
+
+  # make sure there arent local changes
+  if ! git diff-index --quiet HEAD --; then
+    echo "There are local changes: "
+    git status 
+    exit 1
+  fi 
+
+  # confirm theres a remote called origin
+  remotes=($(git remote))
+  if [[ ! " ${remotes[@]} " =~ " origin " ]]; then
+    echo "missing git remote origin"
+    exit 1
+  fi
+
+  # confirm theres a remote called upstream 
+  # and that its pointing at the right repo
+  if [[ " ${remotes[@]} " =~ " upstream " ]]; then
+    upstream_url=$(git remote get-url upstream)
+    if [[ ! "${upstream_url}" =~ "jenkinsci/templating-engine-plugin" ]]; then
+      echo "Git upstream url doesn't seem right: ${upstream_url}"
+      exit 1
+    fi
+  else 
+    echo "Missing git remote upstream"
+    exit 1
+  fi
+
+  # re-sync main & delete the previous branch
+  git fetch -a 
+  git checkout main
+  git merge upstream/main
+  git push origin main
+  git branch -d $current_branch
+  git push origin --delete $current_branch
+
 # run a containerized jenkins instace
 run flags='': 
   docker pull jenkins/jenkins:lts

diff --git a/build.gradle b/build.gradle
@@ -14,11 +14,11 @@ repositories {
 }
 
 group = 'org.jenkins-ci.plugins'
-version = '2.1'
+version = '2.2'
 description = 'Allows users to create tool-agnostic, templated pipelines to be shared by multiple teams'
 
 jenkinsPlugin {
-    coreVersion = '2.138.1'
+    coreVersion = '2.176.4'
     shortName = 'templating-engine'
     displayName = 'Templating Engine'
     url = 'https://github.com/jenkinsci/templating-engine-plugin'
@@ -48,6 +48,7 @@ dependencies {
     implementation 'org.jenkins-ci.plugins:scm-api:2.2.7'
     implementation 'org.jenkins-ci.plugins:junit:1.24'
     implementation 'org.jenkins-ci.plugins:github-branch-source:2.5.1'
+    implementation 'org.jenkins-ci.plugins:script-security:1.76'
     implementation 'org.jgrapht:jgrapht-core:1.4.0'
 
     // unit test dependencies

diff --git a/docs/antora.yml b/docs/antora.yml
@@ -1,6 +1,6 @@
 name: jte
 title: Jenkins Templating Engine
-version: '2.1'
+version: '2.2'
 start_page: ROOT:index.adoc
 nav:
 - modules/ROOT/nav.adoc

diff --git a/src/main/groovy/org/boozallen/plugins/jte/init/governance/config/dsl/DslSandbox.groovy b/src/main/groovy/org/boozallen/plugins/jte/init/governance/config/dsl/DslSandbox.groovy
diff --git a/.../org/boozallen/plugins/jte/init/governance/config/dsl/PipelineConfigurationBuilder.groovy b/.../org/boozallen/plugins/jte/init/governance/config/dsl/PipelineConfigurationBuilder.groovy
@@ -16,6 +16,7 @@
 package org.boozallen.plugins.jte.init.governance.config.dsl
 
 import static PipelineConfigurationDsl.ConfigBlockMap
+import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.Whitelisted
 import org.codehaus.groovy.runtime.GStringImpl
 
 /**
@@ -25,17 +26,22 @@ import org.codehaus.groovy.runtime.GStringImpl
  * configuration into a LinkedHashMap and populate a {@link PipelineConfigurationObject}
  * that has been injected into the binding by {@link PipelineConfigurationDsl}.
  */
+@SuppressWarnings('AbstractClassWithPublicConstructor')
 abstract class PipelineConfigurationBuilder extends Script{
 
     List objectStack = []
     List nodeStack = []
     Boolean recordMergeKey = false
     Boolean recordOverrideKey = false
 
+    @SuppressWarnings('UnnecessaryConstructor') @Whitelisted PipelineConfigurationBuilder(){
+        super()
+    }
+
     /*
         used purely to catch syntax errors such as:
 
-        1. someone trying to set a configuraiton key to an unquoted string
+        1. someone trying to set a configuration key to an unquoted string
 
             a = b
             vs
@@ -61,15 +67,18 @@ abstract class PipelineConfigurationBuilder extends Script{
 
     }
 
+    @Whitelisted
     void setMergeToTrue(){
         recordMergeKey = true
     }
 
+    @Whitelisted
     void setOverrideToTrue(){
         recordOverrideKey = true
     }
 
     @SuppressWarnings(['MethodParameterTypeRequired', 'NoDef'])
+    @Whitelisted
     BuilderMethod methodMissing(String name, args){
         objectStack.push([:])
         nodeStack.push(name)
@@ -83,7 +92,7 @@ abstract class PipelineConfigurationBuilder extends Script{
         if (objectStack.size()){
             objectStack.last() << [ (nodeName): nodeConfig ]
         } else {
-            pipelineConfig.config << [ (name): nodeConfig]
+            getBinding().getVariable("pipelineConfig").config << [ (name): nodeConfig]
         }
         return BuilderMethod.METHOD_MISSING(name)
     }
@@ -112,7 +121,7 @@ abstract class PipelineConfigurationBuilder extends Script{
         if (objectStack.size()){
             objectStack.last()[name] = v
         } else {
-            pipelineConfig.config[name] = v
+            getBinding().getVariable("pipelineConfig").config[name] = v
         }
     }
 
@@ -121,7 +130,19 @@ abstract class PipelineConfigurationBuilder extends Script{
         if (objectStack.size()){
             objectStack.last()[name] = [:]
         } else {
-            pipelineConfig.config[name] = [:]
+            getBinding().getVariable("pipelineConfig").config[name] = [:]
+        }
+        return BuilderMethod.PROPERTY_MISSING(name)
+    }
+
+    Object getProperty(String name){
+        recordMergeOrOverride(name)
+        if (objectStack.size()){
+            objectStack.last()[name] = [:]
+        } else if (name == "env"){
+            return getBinding().getVariable("env")
+        } else {
+            getBinding().getVariable("pipelineConfig").config[name] = [:]
         }
         return BuilderMethod.PROPERTY_MISSING(name)
     }
@@ -136,11 +157,11 @@ abstract class PipelineConfigurationBuilder extends Script{
             key += (key.length() ? ".${name}" : name)
         }
         if(recordMergeKey){
-            pipelineConfig.merge << key
+            getBinding().getVariable("pipelineConfig").merge << key
             recordMergeKey = false
         }
         if(recordOverrideKey){
-            pipelineConfig.override << key
+            getBinding().getVariable("pipelineConfig").override << key
             recordOverrideKey = false
         }
     }

diff --git a/...oovy/org/boozallen/plugins/jte/init/governance/config/dsl/PipelineConfigurationDsl.groovy b/...oovy/org/boozallen/plugins/jte/init/governance/config/dsl/PipelineConfigurationDsl.groovy
@@ -16,9 +16,8 @@
 package org.boozallen.plugins.jte.init.governance.config.dsl
 
 import org.apache.commons.lang.StringEscapeUtils
-import org.codehaus.groovy.control.CompilerConfiguration
+import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript
 import org.jenkinsci.plugins.workflow.flow.FlowExecutionOwner
-import org.kohsuke.groovy.sandbox.SandboxTransformer
 
 import java.util.regex.Pattern
 
@@ -37,6 +36,27 @@ class PipelineConfigurationDsl {
 
     }
 
+    /*
+        without this, something like:
+        application_environments{
+          dev
+        }
+
+        results in MissingPropertyException thrown for "dev"
+     */
+    static class DslBinding extends Binding {
+        PipelineConfigurationObject pipelineConfig
+        DslEnvVar env
+
+        @Override Object getVariable(String property){
+            switch (property){
+                case "pipelineConfig": return pipelineConfig
+                case "env": return env
+                default: return PipelineConfigurationBuilder.BuilderMethod.PROPERTY_MISSING
+            }
+        }
+    }
+
     FlowExecutionOwner flowOwner
 
     PipelineConfigurationDsl(FlowExecutionOwner flowOwner){
@@ -50,26 +70,20 @@ class PipelineConfigurationDsl {
 
         PipelineConfigurationObject pipelineConfig = new PipelineConfigurationObject(flowOwner)
         DslEnvVar env = new DslEnvVar(flowOwner)
-        Binding ourBinding = new Binding(
+        DslBinding ourBinding = new DslBinding(
             pipelineConfig: pipelineConfig,
             env: env
         )
 
-        CompilerConfiguration cc = new CompilerConfiguration()
-        cc.addCompilationCustomizers(new SandboxTransformer())
-        cc.scriptBaseClass = PipelineConfigurationBuilder.name
-
-        GroovyShell sh = new GroovyShell(this.getClass().getClassLoader(), ourBinding, cc)
         String processedScriptText = scriptText.replaceAll("@merge", "setMergeToTrue();")
-                                               .replaceAll("@override", "setOverrideToTrue();")
-
-        DslSandbox sandbox = new DslSandbox(env)
-        sandbox.register()
-        try {
-            sh.evaluate(processedScriptText)
-        } finally {
-            sandbox.unregister()
-        }
+                .replaceAll("@override", "setOverrideToTrue();")
+
+        SecureGroovyScript script = new SecureGroovyScript("""
+@groovy.transform.BaseScript org.boozallen.plugins.jte.init.governance.config.dsl.PipelineConfigurationBuilder _
+${processedScriptText}
+""", true)
+        script.configuringWithNonKeyItem()
+        script.evaluate(this.getClass().getClassLoader(), ourBinding, flowOwner.listener)
 
         return pipelineConfig
     }