From 86250ad2e4704ab6871d8695db65e3aa50a65587 Mon Sep 17 00:00:00 2001
From: Devin Nusbaum <dnusbaum@cloudbees.com>
Date: Tue, 9 Jan 2024 10:53:22 -0500
Subject: [PATCH] Revert "Merge pull request #538 from
 dwnusbaum/post-SECURITY-359"

This reverts commit c43e04d6d68c0f1a08e80e30afcc167aa878786c, reversing
changes made to 3a59e40fb41d2774421ce3d7c00480e5917edb76.
---
 .../cps/GroovySourceFileAllowlist.java        | 11 +++++++
 .../default-allowlist                         | 30 +++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java b/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java
index 64c13495c..b9c330256 100644
--- a/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java
+++ b/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java
@@ -29,6 +29,7 @@
 import hudson.Extension;
 import hudson.ExtensionList;
 import hudson.ExtensionPoint;
+import hudson.Main;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
@@ -36,6 +37,7 @@
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
@@ -186,6 +188,15 @@ public DefaultAllowlist() throws IOException {
                 }
             }
             loadDefaultAllowlist(ALLOWED_SOURCE_FILES);
+            // Some plugins use test-specific Groovy DSLs.
+            if (Main.isUnitTest) {
+                ALLOWED_SOURCE_FILES.addAll(List.of(
+                        // pipeline-model-definition
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelAndOtherFieldAgentScript.groovy",
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStageNameTestConditionalScript.groovy",
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStepCountTestConditionalScript.groovy"
+                ));
+            }
         }
 
         private static void loadDefaultAllowlist(List<String> allowlist) throws IOException {
diff --git a/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist/default-allowlist b/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist/default-allowlist
index a8e51c2a7..132684793 100644
--- a/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist/default-allowlist
+++ b/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist/default-allowlist
@@ -1,4 +1,34 @@
 # This list is ordered from most popular to least popular plugin to minimize performance impact.
+# pipeline-model-definition
+/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/AnyScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/NoneScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AbstractChangelogConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AllOfConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AnyOfConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/BranchConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeLogConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeRequestConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeSetConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/EnvironmentConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/EqualsConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ExpressionConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/IsRestartedRunConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/NotConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/TagConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/TriggeredByConditionalScript.groovy
+# pipeline-model-extensions
+/org/jenkinsci/plugins/pipeline/modeldefinition/agent/CheckoutScript.groovy
+# docker-workflow
+/org/jenkinsci/plugins/docker/workflow/Docker.groovy
+/org/jenkinsci/plugins/docker/workflow/declarative/AbstractDockerPipelineScript.groovy
+/org/jenkinsci/plugins/docker/workflow/declarative/DockerPipelineFromDockerfileScript.groovy
+/org/jenkinsci/plugins/docker/workflow/declarative/DockerPipelineScript.groovy
+# kubernetes
+/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesDeclarativeAgentScript.groovy
+# amazon-ecs
+/com/cloudbees/jenkins/plugins/amazonecs/pipeline/ECSDeclarativeAgentScript.groovy
 # workflow-remote-loader:
 /org/jenkinsci/plugins/workflow/remoteloader/FileLoaderDSL/FileLoaderDSLImpl.groovy
 # confluence-publisher