disable GroovyShell cache for sandbox mode

[FIXES JENKINS-55479]
jenkinsci · Jan 9, 2019 · f3fd560 · f3fd560
1 parent 9fdd595
commit f3fd560
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy b/job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy
@@ -53,7 +53,9 @@ abstract class AbstractDslScriptLoader<S extends JobParent, G extends GeneratedI
                             new Binding(),
                             config
                     )
-                    groovyShellCache[key] = groovyShell
+                    if (isGroovyShellCacheEnabled()) {
+                        groovyShellCache[key] = groovyShell
+                    }
                 }
 
                 S jobParent = runScriptEngine(scriptRequest, groovyShell)
@@ -132,6 +134,10 @@ abstract class AbstractDslScriptLoader<S extends JobParent, G extends GeneratedI
         script.run()
     }
 
+    protected boolean isGroovyShellCacheEnabled() {
+        true
+    }
+
     private static boolean isValidScriptName(ScriptRequest scriptRequest) {
         String normalizedName = scriptRequest.scriptBaseName
         if (normalizedName.length() == 0 || !Character.isJavaIdentifierStart(normalizedName.charAt(0))) {

diff --git a/job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy b/job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy
@@ -55,6 +55,10 @@ class SandboxDslScriptLoader extends SecureDslScriptLoader {
         }
     }
 
+    protected boolean isGroovyShellCacheEnabled() {
+        false
+    }
+
     private static class WorkspaceClassLoader extends URLClassLoader {
         private final Item seedJob
 

diff --git a/job-dsl-plugin/src/test/groovy/javaposse/jobdsl/plugin/ExecuteDslScriptsSpec.groovy b/job-dsl-plugin/src/test/groovy/javaposse/jobdsl/plugin/ExecuteDslScriptsSpec.groovy
@@ -1515,6 +1515,35 @@ folder('folder-a/folder-b') {
         assert ScriptApproval.get().pendingScripts*.script == []
     }
 
+    def 'run scripts in sandbox with import from workspace JENKINS-55479'() {
+        setup:
+        jenkinsRule.instance.securityRealm = jenkinsRule.createDummySecurityRealm()
+        jenkinsRule.instance.authorizationStrategy = new MockAuthorizationStrategy()
+                .grant(Jenkins.READ, Item.READ, Item.CONFIGURE, Item.CREATE, Computer.BUILD, Item.WORKSPACE)
+                .everywhere().to('dev')
+
+        FreeStyleProject job = jenkinsRule.createFreeStyleProject('seed')
+        FreeStyleBuild build = job.scheduleBuild2(0).get()
+        build.workspace.child('a.groovy').write('new C()', 'UTF-8')
+        build.workspace.child('b.groovy').write('new C()', 'UTF-8')
+        build.workspace.child('C.groovy').write('class C {}', 'UTF-8')
+        job.buildersList.add(new ExecuteDslScripts(targets: 'a.groovy\nb.groovy', sandbox: true))
+        setupQIA('dev', job)
+
+        when:
+        jenkinsRule.submit(jenkinsRule.createWebClient().login('dev').getPage(job, 'configure').getFormByName('config'))
+
+        then:
+        assert ScriptApproval.get().pendingScripts*.script == []
+
+        when:
+        build = job.scheduleBuild2(0).get()
+
+        then:
+        build.result == SUCCESS
+        assert ScriptApproval.get().pendingScripts*.script == []
+    }
+
     def 'cannot run script in sandbox with import from workspace without WORKSPACE permission'() {
         setup:
         String script = 'import Helper\njob(Helper.computeName()) { description("foo") }'
-Original file line number
+Diff line change
@@ Expand Up / @@ -55,6 +55,10 @@ class SandboxDslScriptLoader extends SecureDslScriptLoader { @@
             }
         }
+        protected boolean isGroovyShellCacheEnabled() {
+            false
+        }
         private static class WorkspaceClassLoader extends URLClassLoader {
             private final Item seedJob
@@ Expand Down @@