On Tue, Apr 29, 2014 at 8:33 AM, Slide <[email protected]> wrote: > Does this plugin support passing classpath info for the Groovy scripts?
Yes, it should. SecureGroovyScript.evaluate allows a ClassLoader to be specified. Or you can always make your own GroovyShell for more control. I have not studied this in the context of security, though. There might be a way for users to “spoof” otherwise safe methods by controlling the classpath. Probably this is not possible in the case of sandboxed scripts so long as the ClassLoader uses normal parent-first delegation, since whitelist lookups should be done on the actual target class. I am less sure about whether innocent-looking scripts sent for whole-script approval could secretly be using spoofed APIs just by adding crafted elements to the classpath; unlike Java, Groovy has a lot of tricky ways of doing something other than what it appears to be doing. Until the question has been investigated I would not recommend permitting users to add custom classpath elements: i.e., something other than PluginManager.uberClassLoader plus perhaps some plugin-provided utility JARs. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
