CHANGELOG.md

Changelog

Version 1.71

Release date: 2020-03-09

• Fix sandbox bypass vulnerability

Version 1.70

Release date: 2020-03-18

• Fix sandbox bypass vulnerability

Version 1.69

Release date: 2020-01-27

• Improvement: Add various methods to the default whitelist: (PR 280, PR 281, PR 283)
  • All remaining static methods in the java.util.Collections class
  • Groovy's List.getAt(Collection) extension method
  • Groovy's List.transpose() extension method
  • Integer.parse(String, int)
  • All of the fields in the java.time.DayOfWeek enum
• Internal: Add better logging for issues encountered in tests, update test-scope dependencies. (PR 279, PR 284)

Version 1.68

Release date: 2019-11-21

• Fix sandbox bypass vulnerability

Version 1.67

Release date: 2019-11-13

• Fix: Remove default whitelist entries that did not correspond to real signatures. (PR 268)
• Improvement: Add the following signatures to the generic whitelist:
  • Object[].getAt(IntRange)
  • All remaining methods in the java.util.regex package
  • Getters/setters on Date
  • Various extension methods defined in DateGroovyMethods
• Internal: Migrate Wiki content to GitHub. (PR 264)

Version 1.66

Release date: 2019-10-01

• JENKINS-59587 - Fix issue that caused a cache used by the class loader for sandboxed Groovy scripts to be cleared out by the garbage collector when it should not have been. This could lead to performance issues for complex sandboxed scripts.

Version 1.65

Release date: 2019-10-01

• Fix sandbox bypass vulnerability

Version 1.64

Release date: 2019-09-13

• JENKINS-57563 - Add support for configuring script approvals using Jenkins Configuration as Code Plugin.

Version 1.63

Release date: 2019-09-12

• Fix sandbox bypass security vulnerabilities

Version 1.62

Release date: 2019-07-31

• Fix sandbox bypass security vulnerabilities

Version 1.61

Release date: 2019-07-05

• JENKINS-56682 - Fix the use of script-level initializers in sandboxed Groovy scripts, which was a regression from version 1.54.
• JENKINS-47430 - Replace Guava cache used in for sandbox class loading with Caffeine to fix some performance issues and deadlocks.
• Add the following methods to the generic whitelist:
  • Number.times(Closure)
  • new PrintWriter(Writer)
  • Reader.read()
  • Reader.read(char[])
  • Reader.read(char[], int, int)
  • Reader.reset()
  • Reader.skip(long)
  • Writer.write(char[])
  • Writer.write(char[], int, int)
  • Writer.write(int)
  • Writer.write(String)
  • Writer.write(String, int, int)
  • Appendable.append(char)
  • Appendable.append(CharSequence)
  • Appendable.append(CharSequence, int, int)
  • AutoCloseable.close()
  • Flushable.flush()
  • new LinkedHashSet()
  • List.add(int, Object)
  • Matcher.find()
  • DefaultGroovyMethods.getAt(Object[], Range)
  • DefaultGroovyMethods.reverse(List)

Version 1.60

Release date: 2019-05-31

• SandboxResolvingClassLoader.parentClassCache could leak loaders in a different way (PR 253)

Version 1.59

Release date: 2019-04-18

• SandboxResolvingClassLoader.parentClassCache could leak loaders (PR 252)* JENKINS-57299 - Add the following method to the generic whitelist:
  • DefaultGroovyMethods.drop(Iterable, int)
  • DefaultGroovyMethods.drop(List, int)
  • DefaultGroovyMethods.dropRight(Iterable, int)
  • DefaultGroovyMethods.dropRight(List, int)
  • DefaultGroovyMethods.take(List, int)
  • DefaultGroovyMethods.takeRight(Iterable, int)
  • DefaultGroovyMethods.takeRight(List, int)

Version 1.58

Release date: 2019-04-18

• Always blockSystem.exit(int),Runtime#halt(int), andRuntime#exit(int)* JENKINS-34973 - Add script approvals from withintry/catchblocks.

Version 1.57

Release date: 2019-04-11

• Add the following methods to the generic whitelist:
  • Map.getOrDefault(Object, Object)
  • Map.putIfAbsent(Object, Object)
  • Map.replace(Object, Object)
  • Map.replace(Object, Object, Object)

Version 1.56

Release date: 2019-03-25

• Fix security issue

Version 1.55

Release date: 2019-03-18

• JENKINS-55303 - Internal: Update tests and test-scope dependencies so that the plugin can build with all tests passing on Java 11.

Version 1.54

Release date: 2019-03-06

• Fix security issue

Version 1.53

Release date: 2019-02-19

• Fix security issue

Version 1.52

Release date: 2019-02-13

• Add the following methods to the generic whitelist:
  • DateTimeFormatter.ofPattern(String)
  • Iterable.take(int)
  • List.subList(int, int)

Version 1.51

Release date: 2019-01-28

• Fix security issue

Version 1.50

Release date: 2019-01-08

• Fix security vulnerability

Version 1.49

Release date: 2018-11-30

• Make sure expensive log lines are only created if the appropriate logging level is enabled (PR #232)

• Add the following methods to the generic whitelist:

  • String#indexOf(int)
  • String#indexOf(int, int)
  • String#indexOf(String, int)
  • String#lastIndexOf(int)
  • String#lastIndexOf(int, int)
  • String#lastIndexOf(String, int)

Version 1.48

Release date: 2018-10-29

• Fix security issue

Version 1.47

Release date: 2018-10-17

• Add the following methods to the generic whitelist:
  • DefaultGroovyMethods#leftShift(Writer, Object)
  • Class#isInstance(Object)
  • Throwable#getCause()
  • Arrays#asList(Object[])
  • Matcher#group(String)
  • DefaultGroovyMethods#minus(List, Collection)
  • DefaultGroovyMethods#asBoolean(CharSequence)
  • Various methods in the java.timepackage
• Thanks, open source contributors TobiX, haridsv, kevinkjt2000!

Version 1.46

Release date: 2018-09-05

• JENKINS-53420 - FixMissingPropertyException when executing Pipeline steps.

Version 1.45

Release date: 2018-09-04

• JENKINS-50843 - Allow callingClosure elements of aMap as methods.

• JENKINS-51332 - WhitelistCalendar constants for days of the week and months (such asMONDAY andAPRIL).

• JENKINS-50906 - Allowthis.foo() for closure variables.

• Downgrade logging level for message about slow class loading increase threshold from 250ms to 1s.

• Add the following methods to the generic whitelist:

  • DefaultGroovyMethods#addAll(Collection, Object[])
  • DefaultGroovyMethods#asImmutable(Map)
  • DefaultGroovyMethods#flatten(List)
  • DefaultGroovyMethods#getAt(List, Range)
  • DefaultGroovyMethods#subMap(Map, Object[])
  • DefaultGroovyMethods#subMap(Map, Collection)

Version 1.44

Release date: 2018-04-27

• AddDefaultGroovyMethods.toLong(String)to the generic whitelist.
• JENKINS-50470 - fix handling ofArrayList.someField to behave as a spread operation.
• JENKINS-46882 - Addnew Exception(String) to generic whitelist.

Version 1.43

Release date: 2018-03-28

• AddDefaultGroovyMethods.collate methods to the generic whitelist.
• JENKINS-50380 - Stop going throughcheckedCast process for objects that can be assigned to the target class and just return them instead.
• AddCollection#remove(int) andList#remove(int) to the generic whitelist.
• AddDefaultGroovyMethods forsort,toSorted,unique,max,min, andabs to the generic whitelist. Note that using these (other thanabs) in Pipeline code will not work untilJENKINS-44924 is resolved.
• Slightly improved error messages replacingunclassified ... for cases where we couldn't find a method, field, constructor, etc matching the signature.

Version 1.42

Release date: 2018-03-12

• JENKINS-45982 - Fix an issue with callingsuper for a CPS-transformed method.
• JENKINS-49542 - addMap#isEmpty() to generic whitelist.
• Add DefaultGroovyMethods.multiply(String,Number),DefaultGroovyMethods.with(Object,Closure),Object#hashCode(),Objects.hash(Object[]),DefaultGroovyMethods.first(...), andDefaultGroovyMethods.last(...) to generic whitelist.

Version 1.41

Release date: 2018-02-08

• Major improvement: greatly reduce time required to check against static Whitelists
• Major improvement: allow permission checks to multithread - elliminate lock contention with concurrent calls
• Improve UX for clearing dangerous signaturesJENKINS-22660
• Add Integer.toString(int, int) to default whitelist
• Add DefaultGroovyMethods toListString and toMapString to whitelist

Version 1.40

Release date: 2018-01-10

• BlockSystem.getNanoTime() to prevent Spectre/Meltdown exploits.
• AddDefaultGroovyMethods#contains(Iterable,Object) to default whitelist.

Version 1.39

Release date: 2017-12-12

• JENKINS-48501 - Fix NPE regression caused by fix for JENKINS-48364 and JENKINS-46213.

Version 1.38

Release date: 2017-12-11

• JENKINS-46764 - Log useful message whenscriptApproval.xml is malformed.
• JENKINS-48364 - Treat null first vararg param properly.
• JENKINS-46213 - Treat trailing array parameters as varargs when appropriate.

Version 1.37

Release date: 2017-12-11

• Fix security issue

Version 1.36

Release date: 2017-11-29

• JENKINS-47159,JENKINS-47893 - Fix two issues with varargs handling.
• Add more collection methods to the whitelist.
• HideScriptApproval link if there are no pending or approved signatures.
• Introduced support forSystemCommandLanguage

Version 1.35

Release date: 2017-11-02

• JENKINS-47758 - New feature: plugins using the SecureGroovyScript.evaluate method are automatically protected against Groovy memory leaks (most plugins)

  • Notable plugin exceptions: email-ext, matrix-project, ontrack (may be covered by a later enhancement), job-dsl (needs a bespoke implementation) and splunk-devops plugins (can't cover - doesn't use enough script-security APIs)
  • Pipeline offered its own leak protection mechanism (this is based on that)

• JENKINS-35294- VarArgs support for enums

• Whitelist map.get method, List, minus, padLeft/padRight (thanks to community contributions from Github usersryankillory,Ignition, andandrey-fomin!)

• JENKINS-47666 - Add math.max and math.min to whitelist

• JENKINS-44557 - Properly cast GString (Groovy dynamic/templated string) in varargs

Version 1.34

Release date: 2017-09-05

• JENKINS-46391 - Properly handle~/foo/regexp declarations and some otherPattern methods.
• JENKINS-46358 - Whitelist a number ofStringGroovyMethods includingreplaceAll,findAll, and more.

Version 1.33

Release date: 2017-08-16

• JENKINS-46088Fix problems caused by double sandbox transformation of right-hand-side of declarations.
• JENKINS-33468Allow use ofitimplicit closure parameter.
• JENKINS-45776Better handling of scoping of closure local variables.
• JENKINS-46191 Fix compilation of empty declarations, such asString foo;, in sandbox.

Version 1.32

Release date: 2017-08-16

• Failed release due to repository permissions issues; replaced by 1.33.

Version 1.31

Release date: 2017-08-07

• Multiple security fixes

Version 1.30

Release date: 2017-07-25

Now requires Jenkins 2.7.x or later, i.e., versions of Jenkins running Groovy 2.x.

• Some whitelist and blacklist additions.

• JENKINS-42563Handlingsuper calls to methods.

• Be explicit about classpath directory rejection reason.

• JENKINS-45117Apply specificity comparisons to constructors, not just methods.

• JENKINS-37129Throw a more helpfulMissingMethodException rather than an “unclassified” error.

• Cleanup of math operations.

• JENKINS-34599Allowfinal fields to be set.

• JENKINS-45629Field initializers could produce aNullPointerException during script transformation.

Version 1.29.1

Release date: 2017-07-10

• Fix security issue

Version 1.29

Release date: 2017-06-15

• Whitelist additions, particularly forDefaultGroovyMethods.

Version 1.28

Release date: 2017-06-05

• JENKINS-34741Unclassified error when using Groovy struct constructors.

• Default whitelist additions.

Version 1.27

Release date: 2017-02-27

• JENKINS-41797 Race condition could corrupt internal whitelist metadata.
• JENKINS-39159 File handle leak when using custom script classpath could lead to unwanted locks on Windows or NFS.
• Default whitelist additions.

Version 1.26

Release date: 2017-02-13

• Default whitelist additions.

Version 1.25

Release date: 2017-01-03

• More whitelist and blacklist entries.
• Display a warning about previously approved signatures which are now in the blacklist.

Version 1.24

Release date: 2016-10-20

• JENKINS-38908 Improper handling of some varargs methods.
• Various whitelist additions.

Version 1.23

Release date: 2016-09-21

• Better report JENKINS-37599, a bug in core tickled by the Promoted Builds Plugin.
• A few new whitelist and blacklist entries.

Version 1.22

Release date: 2016-08-15

• Introduce a class loader caching layer for the Groovy sandbox to work around core performance limitations such as JENKINS-23784.
• JENKINS-37344 Default whitelist additions pertaining to collections.

Version 1.21

Release date: 2016-07-11

• Default whitelist additions pertaining to build changelogs (JENKINS-30412).

Version 1.20

Release date: 2016-06-20

• Various default whitelist additions.
• JENKINS-34739 Support for varargs methods.
• JENKINS-33023 enum initializer fixes.
• Blacklisting RunWrapper.getRawBuild.

Version 1.19

Release date: 2016-04-26

• JENKINS-24399 Prohibit class directories from being approved classpath entries.
• JENKINS-33023 Support enum initializers.
• Permit metaclass methods to be run.
• Some miscellaneous whitelist and blacklist additions.

Version 1.18.1

Release date: 2016-04-11

• Security release (CVE-2016-3102). advisory

Version 1.18

Release date: 2016-04-04

• Groovy prefers a getter/setter to a field access, so act accordingly, particularly when suggesting signatures to approve.
• JENKINS-27725 Various fixes to handling of GDK methods.
• Some miscellaneous whitelist and blacklist additions.
• JENKINS-26481 Supporting fix to GDK method handling necessary to support calls such as Object.each(Closure) from groovy-cps Pipeline.

Version 1.17

Release date: 2016-01-25

• obj.prop should interpret boolean TheClass.isProp(), not just boolean TheClass.getProp().

Version 1.16

Release date: 2016-01-19

• Many more default whitelist entries, including standard Groovy operators and GDK methods.
• JENKINS-30432 Warn about dangerous signatures.
• JENKINS-31234 Groovy allows Singleton.instance as an alias for Singleton.getInstance(); handled.
• JENKINS-31701 Misclassification of a method taking long and being passed an int.

Version 1.15

Release date: 2015-08-20

• Added a number of new default whitelist entries.
• Properly classify pseudofields of a Map.
• JENKINS-29541 Methods on a GString may really be called on a String.
• Corrected classification of methods ambiguous between GroovyDefaultMethods and invokeMethod.
• JENKINS-28586 Corrected handling of receivers inside a Closure.
• JENKINS-28154 Fixing handling of Groovy operators.

Version 1.14

Release date: 2015-04-22

• Better error message when you mistype a method name on a Groovy class.
• Default to using sandbox mode when the current user is not an administrator.

Version 1.13

Release date: 2015-02-02

• Testability fix only.

Version 1.12

Release date: 2014-12-04

• JENKINS-25914 Support for special whitelist of env in Workflow plugins.
• Whitelisting Collection.contains.

Version 1.11

Release date: 2014-12-03

• Handling some more Groovy constructs, such as the =~ operator, and GDK methods like Iterable.join(String).

Version 1.10

Release date: 2014-11-14

• JENKINS-25524 Handle ambiguous method overloads better.

Version 1.9

Release date: 2014-11-04

• Code can escape sandbox if there are multiple copies of groovy-sandbox.jar in Jenkins (JENKINS-25348)

Version 1.8

Release date: 2014-10-29

• groovy-sandbox 1.8 has a few fixes.

Version 1.7

Release date: 2014-10-13

• JENKINS-25118 Handle methods with primitive arguments.

Version 1.6

Release date: 2014-10-02

• Handle GroovyObject.invokeMethod(String,Object) correctly during call site selecction.

Version 1.5

Release date: 2014-08-19

• JENKINS-22834 Added support for custom classpaths.

Version 1.4

Release date: 2014-06-08

• Do not bother enforcing whole-script approval when Jenkins is unsecured anyway.
• Some changes to make writing acceptance tests easier.

Version 1.3

Release date: 2014-05-13

• Fixing some regressions from 1.2.

Version 1.2

Release date: 2014-05-13

• Updated Groovy sandbox library for better language coverage.

Version 1.1

Release date: 2014-05-06

• Making it possible to use Groovy functions with def syntax.
• Added GroovySandbox.run to stop whitelists from being consulted on methods defined in the script itself.

Version 1.0

Release date: 2014-04-15

• String concatenation fix in sandbox.
• Preapprove the empty script.
• Support for static fields in sandbox.
• Changed package of AbstractWhitelist.

Version 1.0 beta 6

Release date: 2014-03-31

• Added SecureGroovyScript convenience class.

Version 1.0 beta 5

Release date: 2014-03-13

• Fixed various bugs in the Groovy sandbox.
• Added AbstractWhitelist.

Version 1.0 beta 4

Release date: 2014-03-12

• Refactored Whitelist to support GString and more

Version 1.0 beta 3

Release date: 2014-03-01

• Reverted GString fix for now

Version 1.0 beta 2

Release date: 2014-02-28

• @Whitelisted
• initialization bug fix
• Groovy GString fix

Version 1.0 beta 1

Release date: 2014-02-28

• Initial version.