script-security-plugin
script-security-plugin copied to clipboard
[JENKINS-42214] SandboxInterceptor must account for static members being accessed via objects instead of class references
See JENKINS-42214. Fixing the issue going forward is easy enough, but I need to check the upgrade behavior for existing field signatures in their scriptApproval.xml
that would be considered invalid after this change.
Rebuilding.
Also, I checked the behavior for cases where users have an invalid approved signature in their scriptApproval.xml
. Previously, the behavior was wrong, but it was wrong both when checking the signature against allowlists and when reporting the rejection, so things worked fine as long as you had assertions disabled. If you approved some invalid signature before this update, then after this update you will need to approve the correct signature.
We could check Signature.exists
during deserialization and try to migrate existing signatures that hit this case, but I'm not sure that the complexity is worth it for what is probably an uncommon case. I think it should be good enough to mention that you may need to approve some signatures after the update in the release notes.
Rebuilding
BTW Re-run from Checks should work.
I think it should be good enough to mention that you may need to approve some signatures after the update in the release notes.
Agreed
BTW Re-run from Checks should work.
Hmm, it never seems to work for me. I will try that next time though.