[FIXED JENKINS-50470] Treat someList.someField as spread.

See upstream PR at jenkinsci/groovy-sandbox#46, but the gist is that Groovy's normal behavior for this is to treat it the same as we do spread cases - iterate over the list to get the value from each object in the list and return the resulting list.
jenkinsci · Mar 29, 2018 · f7601ab · f7601ab
1 parent 858f1bf
commit f7601ab
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/pom.xml b/pom.xml
@@ -48,7 +48,7 @@
     <dependency>
       <groupId>org.kohsuke</groupId>
       <artifactId>groovy-sandbox</artifactId>
-      <version>1.18</version>
+      <version>1.19-20180329.140543-1</version> <!-- TODO: https://github.com/jenkinsci/groovy-sandbox/pull/46 -->
       <exclusions>
         <exclusion>
           <groupId>org.codehaus.groovy</groupId>

diff --git a/...test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java b/...test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
@@ -1044,4 +1044,40 @@ public void checkedCastWhenAssignable() throws Exception {
                 "one",
                 nacl + " foo = new " + nacl + "(true, false); return foo.join('')");
 
-    }}
+    }
+
+    public static class SimpleNamedBean {
+        private String name;
+
+        @Whitelisted
+        public SimpleNamedBean(String n) {
+            this.name = n;
+        }
+
+        @Whitelisted
+        public String getName() {
+            return name;
+        }
+
+        // This is not whitelisted for test purposes to be sure we still do checks.
+        public String getOther() {
+            return name;
+        }
+    }
+
+    @Issue("JENKINS-50470")
+    @Test
+    public void checkedGetPropertyOnCollection() throws Exception {
+        String snb = SimpleNamedBean.class.getName();
+
+        // Before JENKINS-50470 fix, this would error out on "unclassified field java.util.ArrayList name"
+        assertEvaluate(new AnnotatedWhitelist(), Arrays.asList("a", "b", "c"),
+                "def l = [new " + snb + "('a'), new " + snb +"('b'), new " + snb + "('c')]\n" +
+                        "return l.name\n");
+
+        // We should still be calling checkedGetProperty properly for the objects within the collection.
+        assertRejected(new AnnotatedWhitelist(), "method org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptorTest$SimpleNamedBean getOther",
+                "def l = [new " + snb + "('a'), new " + snb +"('b'), new " + snb + "('c')]\n" +
+                        "return l.other\n");
+    }
+}