Skip to content

Commit

Permalink
Merge branch 'master' of github.com:jenkinsci/pipeline-groovy-lib-plu…
Browse files Browse the repository at this point in the history 
…gin into feature/include-versions-caching
  • Loading branch information
@rsandell
rsandell committed Aug 28, 2023
2 parents b1b6712 + 07c339c commit 884f777
Show file tree
Hide file tree
Showing 22 changed files with 700 additions and 294 deletions.
1 change: 1 addition & 0 deletions .github/CODEOWNERS
View file
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @jenkinsci/pipeline-groovy-lib-plugin-developers
1 change: 0 additions & 1 deletion .github/release-drafter.yml
View file

This file was deleted.

2 changes: 1 addition & 1 deletion .mvn/extensions.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@
<extension>
<groupId>io.jenkins.tools.incrementals</groupId>
<artifactId>git-changelist-maven-extension</artifactId>
<version>1.4</version>
<version>1.7</version>
</extension>
</extensions>
9 changes: 5 additions & 4 deletions Jenkinsfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
buildPlugin(useContainerAgent: true, configurations: [
[ platform: "linux", jdk: "8" ],
[ platform: "windows", jdk: "8" ],
[ platform: "linux", jdk: "11" ]
buildPlugin(
useContainerAgent: true,
configurations: [
[platform: 'linux', jdk: 17],
[platform: 'windows', jdk: 11],
])
24 changes: 17 additions & 7 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
<version>4.44</version>
<version>4.71</version>
<relativePath/>
</parent>
<groupId>io.jenkins.plugins</groupId>
Expand All @@ -44,7 +44,7 @@
</license>
</licenses>
<scm>
<connection>scm:git:git://github.com/${gitHubRepo}.git</connection>
<connection>scm:git:https://github.com/${gitHubRepo}.git</connection>
<developerConnection>scm:git:[email protected]:${gitHubRepo}.git</developerConnection>
<url>https://github.com/${gitHubRepo}</url>
<tag>${scmTag}</tag>
Expand All @@ -63,15 +63,15 @@
</pluginRepositories>
<properties>
<changelist>999999-SNAPSHOT</changelist>
<jenkins.version>2.289.3</jenkins.version>
<jenkins.version>2.361.4</jenkins.version>
<gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.jenkins.tools.bom</groupId>
<artifactId>bom-2.289.x</artifactId>
<version>1500.ve4d05cd32975</version>
<artifactId>bom-2.361.x</artifactId>
<version>1883.vcb_768a_7c3610</version>
<scope>import</scope>
<type>pom</type>
</dependency>
Expand All @@ -82,7 +82,7 @@
<dependency>
<groupId>org.apache.ivy</groupId>
<artifactId>ivy</artifactId>
<version>2.5.0</version>
<version>2.5.1</version>
</dependency>

<!-- required plugins -->
Expand Down Expand Up @@ -190,6 +190,16 @@
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>subversion</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.apache.sshd</groupId>
<artifactId>sshd-common</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.sshd</groupId>
<artifactId>sshd-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
Expand All @@ -200,7 +210,7 @@
<dependency>
<groupId>org.tmatesoft.svnkit</groupId>
<artifactId>svnkit-cli</artifactId>
<version>1.10.7</version>
<version>1.10.10</version>
<scope>test</scope>
</dependency>
</dependencies>
Expand Down
45 changes: 42 additions & 3 deletions src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryStep.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@
import java.util.logging.Logger;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import groovy.lang.MissingPropertyException;
import javax.inject.Inject;
import jenkins.model.Jenkins;
import jenkins.scm.impl.SingleSCMSource;
Expand All @@ -75,6 +76,8 @@
import org.jenkinsci.plugins.workflow.steps.StepContextParameter;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.groovy.sandbox.GroovyInterceptor;
import org.kohsuke.groovy.sandbox.impl.Checker;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
Expand Down Expand Up @@ -270,11 +273,15 @@ public static final class LoadedClasses extends GroovyObjectSupport implements S
if (clazz != null) {
// Field access?
try {
// not doing a Whitelist check since GroovyClassLoaderWhitelist would be allowing it anyway
if (isSandboxed()) {
return Checker.checkedGetAttribute(loadClass(prefix + clazz), false, false, property);
}
return loadClass(prefix + clazz).getField(property).get(null);
} catch (NoSuchFieldException x) {
} catch (MissingPropertyException | NoSuchFieldException x) {
// guessed wrong
} catch (IllegalAccessException x) {
} catch (SecurityException x) {
throw x;
} catch (Throwable x) {
throw new GroovyRuntimeException(x);
}
}
Expand All @@ -284,6 +291,8 @@ public static final class LoadedClasses extends GroovyObjectSupport implements S
loadClass(prefix + fullClazz);
// OK, class really exists, stash it and await methods
return new LoadedClasses(library, trusted, changelog, prefix, fullClazz, srcUrl);
} else if (clazz != null) {
throw new MissingPropertyException(property, loadClass(prefix + clazz));
} else {
// Still selecting package components.
return new LoadedClasses(library, trusted, changelog, prefix + property + '.', null, srcUrl);
Expand All @@ -293,13 +302,43 @@ public static final class LoadedClasses extends GroovyObjectSupport implements S
@Override public Object invokeMethod(String name, Object _args) {
Class<?> c = loadClass(prefix + clazz);
Object[] args = _args instanceof Object[] ? (Object[]) _args : new Object[] {_args}; // TODO why does Groovy not just pass an Object[] to begin with?!
if (isSandboxed()) {
try {
if (name.equals("new")) {
return Checker.checkedConstructor(c, args);
} else {
return Checker.checkedStaticCall(c, name, args);
}
} catch (SecurityException x) {
throw x;
} catch (Throwable x) {
throw new GroovyRuntimeException(x);
}
}
if (name.equals("new")) {
return InvokerHelper.invokeConstructorOf(c, args);
} else {
return InvokerHelper.invokeStaticMethod(c, name, args);
}
}

/**
* Check whether the current thread has at least one active {@link GroovyInterceptor}.
* <p>
* Typically, {@code GroovyClassLoaderWhitelist} will allow access to everything defined in a class in a
* library, but there are some synthetic constructors, fields, and methods which should not be accessible.
* <p>
* As a result, when getting properties or invoking methods using this class, we need to apply sandbox
* protection if the Pipeline code performing the operation is sandbox-transformed. Unfortunately, it is
* difficult to detect that case specifically, so we instead intercept all calls if the Pipeline itself is
* sandboxed. This results in a false positive {@code RejectedAccessException} being thrown if a trusted
* library uses the {@code library} step and tries to access static fields or methods that are not permitted to
* be used in the sandbox.
*/
private static boolean isSandboxed() {
return !GroovyInterceptor.getApplicableInterceptors().isEmpty();
}

// TODO putProperty for static field set

private Class<?> loadClass(String name) {
Expand Down
Loading

0 comments on commit 884f777

Please sign in to comment.