[JENKINS-46177] Groovy sandbox checker for Publisher/Build/Parameters

Change-Id: I23b018ca9cb05b2a909360e5c3f0411171ae88d9
jenkinsci · Aug 15, 2017 · d50e013 · d50e013
1 parent 0a0bc31
commit d50e013
Show file tree

Hide file tree

Showing 4 changed files with 322 additions and 364 deletions.
diff --git a/src/main/java/org/jenkins/ci/plugins/jenkinslint/check/GroovySandboxChecker.java b/src/main/java/org/jenkins/ci/plugins/jenkinslint/check/GroovySandboxChecker.java
@@ -1,9 +1,14 @@
 package org.jenkins.ci.plugins.jenkinslint.check;
 
-import hudson.model.Item;
-import hudson.model.Job;
+import hudson.PluginWrapper;
+import hudson.model.*;
+import hudson.tasks.Builder;
+import hudson.tasks.Publisher;
+import hudson.util.DescribableList;
+import jenkins.model.Jenkins;
 import org.jenkins.ci.plugins.jenkinslint.model.AbstractCheck;
 
+import java.util.List;
 import java.util.logging.Level;
 
 /**
@@ -19,32 +24,148 @@ public GroovySandboxChecker(boolean enabled) {
 
     public boolean executeCheck(Item item) {
         LOG.log(Level.FINE, "executeCheck " + item);
+        boolean found = false;
         if (item instanceof Job) {
             // Pipeline support
             if (item.getClass().getSimpleName().equals("WorkflowJob")) {
                 try {
                     Object getDefinition = item.getClass().getMethod("getDefinition", null).invoke(item);
                     if (getDefinition.getClass().getSimpleName().equals("CpsFlowDefinition")) {
-                        return !isSandbox(getDefinition);
+                        found = !isPipelineSandbox(getDefinition);
                     }
                 } catch (Exception e) {
                     LOG.log(Level.FINE, "Exception " + e.getMessage(), e.getCause());
                 }
             }
         }
-        return false;
+        PluginWrapper plugin = Jenkins.getInstance().pluginManager.getPlugin("groovy");
+        if (plugin!=null && plugin.getVersionNumber().isNewerThan(new hudson.util.VersionNumber("1.30"))) {
+            if (item.getClass().getSimpleName().equals("MavenModuleSet")) {
+                try {
+                    Object getPrebuilders = item.getClass().getMethod("getPrebuilders", null).invoke(item);
+                    if (!isSystemSandbox((List) getPrebuilders)) {
+                        found = true;
+                    }
+                } catch (Exception e) {
+                    LOG.log(Level.WARNING, "Exception " + e.getMessage(), e.getCause());
+                }
+            }
+            if (item instanceof Project && !isSystemSandbox(((Project) item).getBuilders())) {
+                found = true;
+            }
+            if (item.getClass().getSimpleName().equals("MatrixProject")) {
+                try {
+                    Object getBuilders = item.getClass().getMethod("getBuilders", null).invoke(item);
+                    if (!isSystemSandbox((List) getBuilders)) {
+                        found = true;
+                    }
+                } catch (Exception e) {
+                    LOG.log(Level.WARNING, "Exception " + e.getMessage(), e.getCause());
+                }
+            }
+        }
+
+        if (item instanceof AbstractProject) {
+            if (!isSandboxInPublisher(((AbstractProject) item).getPublishersList())) {
+                found = true;
+            }
+
+            if (((AbstractProject) item).getProperty(ParametersDefinitionProperty.class) != null) {
+                if (!isSandboxParameters(((ParametersDefinitionProperty) ((AbstractProject) item).getProperty(ParametersDefinitionProperty.class)).getParameterDefinitions())) {
+                    found = true;
+                }
+            }
+        }
+
+        return found;
     }
 
-    private boolean isSandbox(Object object) {
+    private boolean isPipelineSandbox(Object object) {
         boolean status = true;
         if (object != null) {
             try {
-                Object isSandbox = object.getClass().getMethod("isSandbox", null).invoke(object);
-                return ((Boolean) isSandbox);
+                return isSandbox(object.getClass().getMethod("isSandbox", null).invoke(object));
             } catch (Exception e) {
                 LOG.log(Level.WARNING, "Exception " + e.getMessage(), e.getCause());
             }
         }
         return status;
     }
+
+    private boolean isSystemSandbox(List<Builder> builders) {
+        boolean status = true;
+        if (builders != null && builders.size() > 0 ) {
+            for (Builder builder : builders) {
+                if (builder.getClass().getName().endsWith("SystemGroovy")) {
+                    try {
+                        Object source = builder.getClass().getMethod("getSource",null).invoke(builder);
+                        if (source.getClass().getName().endsWith("StringSystemScriptSource")) {
+                            Object scriptSource = source.getClass().getMethod("getScript",null).invoke(source);
+                            if (scriptSource.getClass().getName().endsWith("SecureGroovyScript")) {
+                                if (!isSandbox(scriptSource.getClass().getMethod("isSandbox",null).invoke(scriptSource))) {
+                                    status = false;
+                                }
+                            }
+                        }
+                    } catch (Exception e) {
+                        LOG.log(Level.WARNING, "Exception " + e.getMessage(), e.getCause());
+                    }
+                }
+            }
+        }
+        return status;
+    }
+
+    private boolean isSandboxInPublisher(DescribableList<Publisher, Descriptor<Publisher>> publishersList) {
+        boolean status = true;
+        for (Publisher publisher : publishersList) {
+            if (publisher.getClass().getName().endsWith("GroovyPostbuildRecorder")) {
+                LOG.log(Level.FINEST, "GroovyPostbuildRecorder " + publisher);
+                try {
+                    Object scriptSource = publisher.getClass().getMethod("getScript",null).invoke(publisher);
+                    if (scriptSource.getClass().getName().endsWith("SecureGroovyScript")) {
+                        if (!isSandbox(scriptSource.getClass().getMethod("isSandbox",null).invoke(scriptSource))) {
+                            status = false;
+                        }
+                    }
+                } catch (Exception e) {
+                    LOG.log(Level.WARNING, "Exception " + e.getMessage(), e.getCause());
+                }
+            }
+        }
+        return status;
+    }
+
+    private boolean isSandboxParameters(List<ParameterDefinition> properties) {
+        boolean status = true;
+        for (ParameterDefinition property : properties) {
+            if (property.getClass().getName().endsWith("ChoiceParameter") ||
+                property.getClass().getName().endsWith("CascadeChoiceParameter") ||
+                property.getClass().getName().endsWith("DynamicReferenceParameter") ) {
+                LOG.log(Level.FINEST, "unochoice " + property);
+                try {
+                    Object scriptSource = property.getClass().getMethod("getScript",null).invoke(property);
+                    if (scriptSource.getClass().getName().endsWith("GroovyScript")) {
+                        Object script = scriptSource.getClass().getMethod("getScript", null).invoke(scriptSource);
+                        if (script != null && script.getClass().getName().endsWith("SecureGroovyScript")) {
+                            if (!isSandbox(script.getClass().getMethod("isSandbox", null).invoke(script))) {
+                                status = false;
+                            }
+                        }
+                    }
+                } catch (Exception e) {
+                    LOG.log(Level.WARNING, "Exception " + e.getMessage(), e.getCause());
+                }
+            }
+        }
+        return status;
+    }
+
+    private boolean isSandbox(Object command) {
+        boolean status = false;
+        if (command instanceof Boolean) {
+            status = ((Boolean) command).booleanValue();
+        }
+        return status;
+    }
 }
diff --git a/src/main/java/org/jenkins/ci/plugins/jenkinslint/check/SandboxChecker.java b/src/main/java/org/jenkins/ci/plugins/jenkinslint/check/SandboxChecker.java