Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

whitelist replaceAll(pattern, String) #565

Merged
merged 1 commit into from
Aug 13, 2024
Merged

whitelist replaceAll(pattern, String) #565

merged 1 commit into from
Aug 13, 2024

Conversation

ysmaoui
Copy link

@ysmaoui ysmaoui commented Apr 18, 2024
edited
Loading

adding whitelisting for String.replaceAll(pattern, String)

Testing done

Submitter checklist
Beta Give feedback

@jglick
Copy link
Member

jglick commented Aug 13, 2024

Note that these are not currently usable in Pipeline: https://github.com/jenkinsci/workflow-cps-plugin/blob/7141c520ff447a70876d806df9a6c159d12525c9/dgm-builder/src/main/resources/com/cloudbees/groovy/cps/tool/translatable.txt#L183-L186

jglick
jglick reviewed Aug 13, 2024
View reviewed changes
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods replaceAll java.lang.String java.lang.String groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods replaceAll java.lang.String java.util.regex.Pattern groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods replaceAll java.lang.String java.util.regex.Pattern java.lang.String
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is deprecated: https://github.com/apache/groovy/blob/GROOVY_2_4_21/src/main/org/codehaus/groovy/runtime/StringGroovyMethods.java#L2613-L2620

Since String implements CharSequence, the sandbox should not be calling this.

I would recommend adding unit tests demonstrating that an entry in this whitelist is actually required.

I suspect StaticWhitelistTest is failing to mechanically detect useless entries.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤷 Either way, should be harmless to allow it.

@dwnusbaum
Copy link
Member

Note that these are not currently usable in Pipeline: https://github.com/jenkinsci/workflow-cps-plugin/blob/7141c520ff447a70876d806df9a6c159d12525c9/dgm-builder/src/main/resources/com/cloudbees/groovy/cps/tool/translatable.txt#L183-L186

I don't think they need to be translated because they don't have a Closure (or Comparator, etc.) parameter.

@jglick jglick requested a review from dwnusbaum August 13, 2024 18:24
@dwnusbaum dwnusbaum merged commit a70afe4 into jenkinsci:master Aug 13, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick approved these changes

@dwnusbaum dwnusbaum dwnusbaum approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ysmaoui @jglick @dwnusbaum