From cdf1929e859c38379be5fca900aa63485141c340 Mon Sep 17 00:00:00 2001 From: Orygeunik Date: Wed, 29 Jan 2020 00:23:33 +0300 Subject: [PATCH 1/7] Adding to whitelist Math.Abs --- .../scriptsecurity/sandbox/whitelists/generic-whitelist | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist index 437525015..053e4a917 100644 --- a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist +++ b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist @@ -94,6 +94,14 @@ staticMethod java.lang.Math min double double staticMethod java.lang.Math min float float staticMethod java.lang.Math min int int staticMethod java.lang.Math min long long +# Not actual because this not fixed +# https://github.com/jenkinsci/script-security-plugin/blob/32aa07cf1019a6724c9251e9d0789e67cbaaca6a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java#L181 +# staticMethod java.lang.Math abs byte +# staticMethod java.lang.Math abs short +staticMethod java.lang.Math abs int +staticMethod java.lang.Math abs long +staticMethod java.lang.Math abs float +staticMethod java.lang.Math abs double method java.lang.Number byteValue method java.lang.Number doubleValue method java.lang.Number floatValue From b1a9fe9669b22b4e61ae21163b3d73c3d3ca6ed8 Mon Sep 17 00:00:00 2001 From: Orygeunik Date: Wed, 29 Jan 2020 01:34:22 +0300 Subject: [PATCH 2/7] Adding to whitelist Math.Ceil --- .../scriptsecurity/sandbox/whitelists/generic-whitelist | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist index 053e4a917..97e5b9f51 100644 --- a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist +++ b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist @@ -102,6 +102,12 @@ staticMethod java.lang.Math abs int staticMethod java.lang.Math abs long staticMethod java.lang.Math abs float staticMethod java.lang.Math abs double +# Not actual because this not fixed +# https://github.com/jenkinsci/script-security-plugin/blob/32aa07cf1019a6724c9251e9d0789e67cbaaca6a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java#L181 +# staticMethod java.lang.Math ceil int +# staticMethod java.lang.Math ceil long +# staticMethod java.lang.Math ceil float +staticMethod java.lang.Math ceil double method java.lang.Number byteValue method java.lang.Number doubleValue method java.lang.Number floatValue From aa1780121888296913b1adaf3b77f511ab782656 Mon Sep 17 00:00:00 2001 From: Orygeunik Date: Wed, 29 Jan 2020 01:35:22 +0300 Subject: [PATCH 3/7] Adding to whitelist Math.Floor --- .../scriptsecurity/sandbox/whitelists/generic-whitelist | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist index 97e5b9f51..c4467eead 100644 --- a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist +++ b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist @@ -108,6 +108,12 @@ staticMethod java.lang.Math abs double # staticMethod java.lang.Math ceil long # staticMethod java.lang.Math ceil float staticMethod java.lang.Math ceil double +# Not actual because this not fixed +# https://github.com/jenkinsci/script-security-plugin/blob/32aa07cf1019a6724c9251e9d0789e67cbaaca6a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java#L181 +# staticMethod java.lang.Math floor int +# staticMethod java.lang.Math floor long +# staticMethod java.lang.Math floor float +staticMethod java.lang.Math floor double method java.lang.Number byteValue method java.lang.Number doubleValue method java.lang.Number floatValue From 8e26930f9011edd0bc29917752474c306cec8997 Mon Sep 17 00:00:00 2001 From: Orygeunik Date: Wed, 29 Jan 2020 02:41:40 +0300 Subject: [PATCH 4/7] Adding to whitelist methods for work with arraylist --- .../scriptsecurity/sandbox/whitelists/generic-whitelist | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist index c4467eead..7cd8679ac 100644 --- a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist +++ b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist @@ -280,6 +280,7 @@ staticField java.time.format.DateTimeFormatter ISO_WEEK_DATE staticField java.time.format.DateTimeFormatter ISO_ZONED_DATE_TIME staticField java.time.format.DateTimeFormatter RFC_1123_DATE_TIME staticMethod java.time.format.DateTimeFormatter ofPattern java.lang.String +new java.util.ArrayList new java.util.ArrayList java.util.Collection staticMethod java.util.Arrays asList java.lang.Object[] staticMethod java.util.Arrays toString java.lang.Object[] @@ -420,6 +421,8 @@ method java.util.List add int java.lang.Object method java.util.List get int method java.util.List remove int method java.util.List subList int int +method java.util.List set int java.lang.Object +method java.util.List sort java.util.Comparator staticField java.util.Locale CANADA staticField java.util.Locale CANADA_FRENCH staticField java.util.Locale CHINESE @@ -678,6 +681,7 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.Li staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.Map java.lang.Object staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.regex.Matcher int staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getChars java.lang.String +staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods grep java.util.List java.lang.Object staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods groupBy java.lang.Iterable groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods groupBy java.lang.Iterable java.lang.Object[] staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods groupBy java.lang.Object[] groovy.lang.Closure @@ -722,12 +726,14 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods leftShift java.uti staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods leftShift java.util.Set java.lang.Object staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods max java.lang.Iterable groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods max java.lang.Object[] groovy.lang.Closure +staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods max java.util.Collection staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods max java.util.Collection groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods max java.util.Iterator groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods max java.util.Map groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods min java.lang.Iterable groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods min java.lang.Object[] groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods min java.util.Collection groovy.lang.Closure +staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods min java.util.Collection java.util.Comparator staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods min java.util.Iterator groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods min java.util.Map groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods minus java.lang.Character java.lang.Character @@ -804,6 +810,7 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods push java.util.Lis staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods putAll java.util.Map java.util.Collection staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods putAt java.util.List int java.lang.Object staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods putAt java.util.Map java.lang.Object java.lang.Object +staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods removeElement java.util.Collection java.lang.Object staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods removeAll java.util.Collection groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods retainAll java.util.Collection groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods reverse java.util.Iterator @@ -900,6 +907,7 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toSorted java.util staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toSorted java.util.Map java.util.Comparator staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toSorted java.util.SortedMap staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toSorted java.util.SortedSet +staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods toUnique java.util.List groovy.lang.Closure staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tokenize java.lang.String staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tokenize java.lang.String java.lang.Character staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tokenize java.lang.String java.lang.String From 6111cae92122fe28ed666c2d77939a2193cb08d7 Mon Sep 17 00:00:00 2001 From: Orygeunik Date: Thu, 30 Jan 2020 01:53:22 +0300 Subject: [PATCH 5/7] Adding to whitelist methods of "collection to array" --- .../plugins/scriptsecurity/sandbox/whitelists/generic-whitelist | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist index 7cd8679ac..567e81ef4 100644 --- a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist +++ b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist @@ -334,6 +334,8 @@ method java.util.Collection remove java.lang.Object method java.util.Collection removeAll java.util.Collection method java.util.Collection retainAll java.util.Collection method java.util.Collection size +method java.util.Collection toArray +method java.util.Collection toArray java.lang.Object[] staticMethod java.util.Collections addAll java.util.Collection java.lang.Object[] staticMethod java.util.Collections asLifoQueue java.util.Deque staticMethod java.util.Collections binarySearch java.util.List java.lang.Object From a2061b4dc65f3e892260f522f6a0167495de2fe2 Mon Sep 17 00:00:00 2001 From: Orygeunik Date: Thu, 30 Jan 2020 01:54:39 +0300 Subject: [PATCH 6/7] Adding to whitelist methods of "regex magic" --- .../scriptsecurity/sandbox/whitelists/generic-whitelist | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist index 567e81ef4..a086e1180 100644 --- a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist +++ b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist @@ -490,6 +490,7 @@ method java.util.regex.MatchResult start method java.util.regex.MatchResult start int method java.util.regex.Matcher appendReplacement java.lang.StringBuffer java.lang.String method java.util.regex.Matcher appendTail java.lang.StringBuffer +method java.util.regex.Matcher find method java.util.regex.Matcher hasAnchoringBounds method java.util.regex.Matcher hasTransparentBounds method java.util.regex.Matcher hitEnd @@ -682,6 +683,7 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.Li staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.List java.util.Collection staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.Map java.lang.Object staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.regex.Matcher int +staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.util.regex.Matcher java.util.Collection staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getChars java.lang.String staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods grep java.util.List java.lang.Object staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods groupBy java.lang.Iterable groovy.lang.Closure @@ -829,6 +831,7 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods size int[] staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods size java.lang.Object[] staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods size java.lang.String staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods size java.lang.StringBuffer +staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods size java.util.regex.Matcher staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods size long[] staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods size short[] staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods sort java.lang.Iterable From 44ec724cad8b0099579a29dfe57f90c35a9171c5 Mon Sep 17 00:00:00 2001 From: Orygeunik Date: Thu, 30 Jan 2020 01:56:07 +0300 Subject: [PATCH 7/7] Adding to whitelist some methods of work with long --- .../sandbox/whitelists/generic-whitelist | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist index a086e1180..5609245a8 100644 --- a/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist +++ b/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist @@ -69,17 +69,45 @@ new java.lang.Boolean java.lang.String staticMethod java.lang.Boolean parseBoolean java.lang.String staticMethod java.lang.Boolean valueOf boolean staticMethod java.lang.Boolean valueOf java.lang.String + +staticMethod java.lang.Long bitCount long +staticMethod java.lang.Long compare long long +staticMethod java.lang.Long decode java.lang.String +staticMethod java.lang.Long getLong java.lang.String +staticMethod java.lang.Long getLong java.lang.String long +staticMethod java.lang.Long highestOneBit long +staticMethod java.lang.Long lowestOneBit long +staticMethod java.lang.Long numberOfLeadingZeros long +staticMethod java.lang.Long numberOfTrailingZeros long +staticMethod java.lang.Long parseLong java.lang.String +staticMethod java.lang.Long parseLong java.lang.String int +staticMethod java.lang.Long reverse long +staticMethod java.lang.Long reverseBytes long +staticMethod java.lang.Long rotateLeft long int +staticMethod java.lang.Long rotateRight long int +staticMethod java.lang.Long signum long +staticMethod java.lang.Long toBinaryString long +staticMethod java.lang.Long toHexString long +staticMethod java.lang.Long toOctalString long +staticMethod java.lang.Long toString long +staticMethod java.lang.Long valueOf java.lang.String +staticMethod java.lang.Long valueOf java.lang.String int +staticMethod java.lang.Long valueOf long + method java.lang.CharSequence charAt int method java.lang.CharSequence length method java.lang.Class getName method java.lang.Class getSimpleName method java.lang.Class isInstance java.lang.Object method java.lang.Comparable compareTo java.lang.Object +method java.lang.Long valueOf java.lang.String int new java.lang.Enum java.lang.String int method java.lang.Enum name method java.lang.Enum ordinal new java.lang.Exception java.lang.String staticField java.lang.Integer MAX_VALUE +new java.lang.Long long +new java.lang.Long java.lang.String # could add valueOf, though currently the staticField’s need to be whitelisted, which is the more likely use case staticMethod java.lang.Integer parseInt java.lang.String staticMethod java.lang.Integer parseInt java.lang.String int