[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title Andrew Bayer updated an issue Jenkins / JENKINS-50380 script-security doesn't handle a non-standard Collection without a constructor taking an array properly Change By: Andrew Bayer Component/s: script-security-plugin Component/s: pipeline Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title Andrew Bayer updated JENKINS-50380 Merged, releasing momentarily as part of script-security 1.43. Jenkins / JENKINS-50380 script-security doesn't handle a non-standard Collection without a constructor taking an array properly Change By: Andrew Bayer Status: In Review Resolved Resolution: Fixed Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@g
[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title SCM/JIRA link daemon commented on JENKINS-50380 Re: script-security doesn't handle a non-standard Collection without a constructor taking an array properly Code changed in jenkins User: Andrew Bayer Path: pom.xml src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java http://jenkins-ci.org/commit/script-security-plugin/c9ecc7957e742b042326173e314a9e6619a8def4 Log: Merge pull request #192 from abayer/jenkins-50380 JENKINS-50380 checkedCast should just return object when assignable Compare: https://github.com/jenkinsci/script-security-plugin/compare/2fa618d6f534...c9ecc7957e74 Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title SCM/JIRA link daemon commented on JENKINS-50380 Re: script-security doesn't handle a non-standard Collection without a constructor taking an array properly Code changed in jenkins User: Andrew Bayer Path: pom.xml src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java http://jenkins-ci.org/commit/script-security-plugin/c307bcc62f6170ec6e3f1a71b986c723567f42e1 Log: JENKINS-50380 checkedCast should use clazz.cast when assignable Downstream of https://github.com/jenkinsci/groovy-sandbox/pull/45 Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title Andrew Bayer commented on JENKINS-50380 Re: script-security doesn't handle a non-standard Collection without a constructor taking an array properly Ok, I've got PRs up for groovy-sandbox and script-security that fix this by making sure Checker.checkedCast doesn't bother jumping through the DefaultTypeTransformation.castToType hoops if a simple clazz.cast will do the trick. Let's see what the reviewers think. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title Andrew Bayer started work on JENKINS-50380 Change By: Andrew Bayer Status: Open In Progress Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title Andrew Bayer updated JENKINS-50380 Jenkins / JENKINS-50380 script-security doesn't handle a non-standard Collection without a constructor taking an array properly Change By: Andrew Bayer Status: In Progress Review Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title Andrew Bayer commented on JENKINS-50380 Re: script-security doesn't handle a non-standard Collection without a constructor taking an array properly So: this was introduced in script-security 1.31 as part of one of a number of security fixes relating to casting. There are actually two things going on here - first is that the logic for actually doing a sandbox-checked cast still tries to do a cast even when the target class and the class of the object to cast are exactly the same. That's obviously goofy and shouldn't happen. The second is that the logic for doing the sandbox-checked cast sees any Collection that isn't in java.util (those are handled natively by Groovy so we don't worry about them) and, rather than simply casting it, it does a new ClassInQuestion(original.toArray()). Which normally works for a Collection since most will have a constructor taking an array of objects, but doesn't work in this case, where there is no such constructor. While I do believe the cast-to-same-class case should be fixed in general, and I am not pleased with the array constructor for a Collection thing, the bigger issue here is that I don't think we should be ending up in a sandbox-checked cast in this situation in the first place. However, I can't figure out how to prevent that without reopening the casting related issues this is dealing with in the first place...so it may be that we need to accept the potentially pointless sandbox-checked cast, but ensure that said sandbox-checked cast will check at runtime if a straight Class#cast call would suffice and do that instead of handing off to Groovy's casting magic... Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
[JIRA] (JENKINS-50380) script-security doesn't handle a non-standard Collection without a constructor taking an array properly
Title: Message Title Andrew Bayer updated an issue Jenkins / JENKINS-50380 script-security doesn't handle a non-standard Collection without a constructor taking an array properly Change By: Andrew Bayer Summary: pipeline using shared library failed after upgrading Jenkins to 2.89.4.2 script-security doesn't handle a non-standard Collection without a constructor taking an array properly Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
