Skip to content

Commit

Permalink
JENKINS-43637 Secures groovy script execution
Browse files Browse the repository at this point in the history
  • Loading branch information
Daniel Heid authored and Daniel Heid committed Oct 27, 2017
1 parent 3b4172f commit a6e82ab
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions src/main/java/org/jenkinsci/plugins/postbuildscript/service/ScriptExecutor.java
View file
@@ -1,6 +1,6 @@
package org.jenkinsci.plugins.postbuildscript.service;

import groovy.lang.GroovyShell;
import groovy.lang.Binding;
import hudson.EnvVars;
import hudson.FilePath;
import hudson.Launcher;
Expand All @@ -14,6 +14,7 @@
import jenkins.security.SlaveToMasterCallable;
import org.jenkinsci.plugins.postbuildscript.PostBuildScriptException;
import org.jenkinsci.plugins.postbuildscript.PostBuildScriptLog;
import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript;

import java.io.File;
import java.io.IOException;
Expand Down Expand Up @@ -129,11 +130,14 @@ public boolean performGroovyScript(final FilePath workspace, final String script
public Boolean call() throws Throwable {
final String groovyExpressionResolved = Util.replaceMacro(scriptContent, EnvVars.masterEnvVars);
log.info(String.format("Evaluating the groovy script: \n %s", scriptContent));
GroovyShell shell = new GroovyShell();
shell.setVariable("workspace", new File(workspace.getRemote()));
shell.setVariable("log", log);
shell.setVariable("out", log.getListener().getLogger());
shell.evaluate(groovyExpressionResolved);
Binding binding = new Binding();
binding.setVariable("workspace", new File(workspace.getRemote()));
binding.setVariable("log", log);
binding.setVariable("out", log.getListener().getLogger());
ClassLoader classLoader = getClass().getClassLoader();
SecureGroovyScript script = new SecureGroovyScript(groovyExpressionResolved, false, null);
script.configuringWithNonKeyItem();
script.evaluate(classLoader, binding);
return true;
}
});
Expand Down

0 comments on commit a6e82ab

Please sign in to comment.