Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Base64 whitelists did not work due to use of canonical rather than binary name #339

Merged
merged 1 commit into from
May 18, 2021
Merged

Base64 whitelists did not work due to use of canonical rather than binary name #339

merged 1 commit into from
May 18, 2021

Conversation

jglick
Copy link
Member

@jglick jglick commented Apr 29, 2021

Mistake in #309/#310.

@jglick jglick added the bug label Apr 29, 2021
@jglick jglick mentioned this pull request Apr 29, 2021
Merged
@jglick
Copy link
Member Author

jglick commented Apr 29, 2021

This plugin might be a good candidate for JEP-229:

  • no end-user functionality, nobody should look at version number
  • frequent little fixes & enhancements
  • history of absentee maintainers (not sure about now)

dwnusbaum
dwnusbaum reviewed Apr 30, 2021
View reviewed changes
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/EnumeratingWhitelist.java
Comment on lines +221 to 222
// TODO this should be more strict: binary name is required for nested classes
return ClassUtils.getClass(name);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could add an assertion here so that any issues with the static whitelists will cause the plugin's tests to fail?

Suggested change
// TODO this should be more strict: binary name is required for nested classes
return ClassUtils.getClass(name);
Class<?> clazz = ClassUtils.getClass(name);
assert clazz.getName().equals(name); // The whitelists require binary names, but ClassUtils allows various syntaxes.
return clazz;

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well that would basically be the same as

Suggested change
// TODO this should be more strict: binary name is required for nested classes
return ClassUtils.getClass(name);
return Class.forName(name);

which will not work (AFAIK) because name is sometimes something like int or Object[]. We want to enforce use of binary name on the actual class name portion of the string, while still processing special syntaxes that ClassUtils supports. I spent a few minutes thinking about it and did not come up with a simple fix so I moved on.

@rsandell rsandell merged commit b7f44c4 into jenkinsci:master May 18, 2021
@jglick jglick deleted the Base64 branch May 18, 2021 17:10
jglick added a commit to jglick/file-parameters-plugin that referenced this pull request May 27, 2021
@jglick
jenkinsci/script-security-plugin#339 already in bom
9778897
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dwnusbaum dwnusbaum dwnusbaum approved these changes

@daniel-beck daniel-beck daniel-beck approved these changes

@car-roll car-roll car-roll approved these changes

@bitwiseman bitwiseman Awaiting requested review from bitwiseman

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jglick @dwnusbaum @daniel-beck @car-roll @rsandell