[JENKINS-26481] When delegating to DefaultGroovyMethods, check the wh…

…itelist against that method, but then do not interfere with actual call processing.
jenkinsci · Apr 3, 2016 · db50903 · db50903
1 parent 0867352
commit db50903
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java
@@ -78,8 +78,13 @@ final class SandboxInterceptor extends GroovyInterceptor {
             selfArgs[0] = receiver;
             System.arraycopy(args, 0, selfArgs, 1, args.length);
             for (Class<?> dgmClass : DGM_CLASSES) {
-                if (GroovyCallSiteSelector.staticMethod(dgmClass, method, selfArgs) != null) {
-                    return onStaticCall(invoker, dgmClass, method, selfArgs);
+                Method dgmMethod = GroovyCallSiteSelector.staticMethod(dgmClass, method, selfArgs);
+                if (dgmMethod != null) {
+                    if (whitelist.permitsStaticMethod(dgmMethod, selfArgs)) {
+                        return super.onMethodCall(invoker, receiver, method, args);
+                    } else {
+                        throw StaticWhitelist.rejectStaticMethod(dgmMethod);
+                    }
                 }
             }
 

diff --git a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
@@ -1,3 +1,6 @@
+# groovy-cps
+staticMethod com.cloudbees.groovy.cps.CpsDefaultGroovyMethods each java.util.Iterator groovy.lang.Closure
+
 # Groovy:
 staticMethod groovy.json.JsonOutput prettyPrint java.lang.String
 staticMethod groovy.json.JsonOutput toJson groovy.lang.Closure
@@ -84,6 +87,8 @@ method java.util.Collection add java.lang.Object
 method java.util.Collection contains java.lang.Object
 method java.util.Collection size
 new java.util.Date long
+method java.util.Iterator hasNext
+method java.util.Iterator next
 method java.util.List get int
 staticField java.util.Locale CANADA
 staticField java.util.Locale CANADA_FRENCH
@@ -153,6 +158,7 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tokenize java.lang
 staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tokenize java.lang.String java.lang.Character
 staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tokenize java.lang.String java.lang.String
 staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods xor java.lang.Boolean java.lang.Boolean
+staticMethod org.codehaus.groovy.runtime.InvokerHelper asIterator java.lang.Object
 staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter compareEqual java.lang.Object java.lang.Object
 staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter compareGreaterThan java.lang.Object java.lang.Object
 staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter compareGreaterThanEqual java.lang.Object java.lang.Object

diff --git a/...est/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java b/...est/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java
@@ -64,7 +64,11 @@ static void sanity(URL definition) throws Exception {
         }
         assertEquals("entries in " + definition + " should be sorted and unique", new TreeSet<EnumeratingWhitelist.Signature>(sigs).toString(), sigs.toString());
         for (EnumeratingWhitelist.Signature sig : sigs) {
-            assertTrue(sig + " does not exist (or is an override)", sig.exists());
+            try {
+                assertTrue(sig + " does not exist (or is an override)", sig.exists());
+            } catch (ClassNotFoundException x) {
+                System.err.println("Cannot check validity of `" + sig + "` since the class is not loadable");
+            }
         }
     }