[JENKINS-42214] SandboxInterceptor must account for static members being accessed via objects instead of class references

[dwnusbaum]

See JENKINS-42214. Fixing the issue going forward is easy enough, but I need to check the upgrade behavior for existing field signatures in their scriptApproval.xml that would be considered invalid after this change.

[dwnusbaum]

Rebuilding.

Also, I checked the behavior for cases where users have an invalid approved signature in their scriptApproval.xml. Previously, the behavior was wrong, but it was wrong both when checking the signature against allowlists and when reporting the rejection, so things worked fine as long as you had assertions disabled. If you approved some invalid signature before this update, then after this update you will need to approve the correct signature.

We could check Signature.exists during deserialization and try to migrate existing signatures that hit this case, but I'm not sure that the complexity is worth it for what is probably an uncommon case. I think it should be good enough to mention that you may need to approve some signatures after the update in the release notes.

[jglick]

Rebuilding

BTW Re-run from Checks should work.

[jglick]

I think it should be good enough to mention that you may need to approve some signatures after the update in the release notes.

Agreed

[dwnusbaum]

BTW Re-run from Checks should work.

Hmm, it never seems to work for me. I will try that next time though.