Merge branch 'master' of github.com:jenkinsci/pipeline-groovy-lib-plugin into feature/include-versions-caching

Author: rsandell

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @jenkinsci/pipeline-groovy-lib-plugin-developers

.github/release-drafter.yml

@@ -2,6 +2,6 @@
   <extension>
     <groupId>io.jenkins.tools.incrementals</groupId>
     <artifactId>git-changelist-maven-extension</artifactId>
-    <version>1.4</version>
+    <version>1.7</version>
   </extension>
 </extensions>

.mvn/extensions.xml

@@ -1,5 +1,6 @@
-buildPlugin(useContainerAgent: true, configurations: [
-  [ platform: "linux", jdk: "8" ],
-  [ platform: "windows", jdk: "8" ],
-  [ platform: "linux", jdk: "11" ]
+buildPlugin(
+  useContainerAgent: true,
+  configurations: [
+    [platform: 'linux', jdk: 17],
+    [platform: 'windows', jdk: 11],
 ])

Jenkinsfile

@@ -28,7 +28,7 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>4.44</version>
+        <version>4.71</version>
         <relativePath/>
     </parent>
     <groupId>io.jenkins.plugins</groupId>
@@ -44,7 +44,7 @@
         </license>
     </licenses>
     <scm>
-        <connection>scm:git:git://github.com/${gitHubRepo}.git</connection>
+        <connection>scm:git:https://github.com/${gitHubRepo}.git</connection>
         <developerConnection>scm:git:[email protected]:${gitHubRepo}.git</developerConnection>
         <url>https://github.com/${gitHubRepo}</url>
         <tag>${scmTag}</tag>
@@ -63,15 +63,15 @@
     </pluginRepositories>
     <properties>
         <changelist>999999-SNAPSHOT</changelist>
-        <jenkins.version>2.289.3</jenkins.version>
+        <jenkins.version>2.361.4</jenkins.version>
         <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
     </properties>
     <dependencyManagement>
         <dependencies>
             <dependency>
                 <groupId>io.jenkins.tools.bom</groupId>
-                <artifactId>bom-2.289.x</artifactId>
-                <version>1500.ve4d05cd32975</version>
+                <artifactId>bom-2.361.x</artifactId>
+                <version>1883.vcb_768a_7c3610</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
@@ -82,7 +82,7 @@
         <dependency>
             <groupId>org.apache.ivy</groupId>
             <artifactId>ivy</artifactId>
-            <version>2.5.0</version>
+            <version>2.5.1</version>
         </dependency>
 
         <!-- required plugins -->
@@ -190,6 +190,16 @@
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>subversion</artifactId>
             <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.sshd</groupId>
+                    <artifactId>sshd-common</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.sshd</groupId>
+                    <artifactId>sshd-core</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
@@ -200,7 +210,7 @@
         <dependency>
             <groupId>org.tmatesoft.svnkit</groupId>
             <artifactId>svnkit-cli</artifactId>
-            <version>1.10.7</version>
+            <version>1.10.10</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

pom.xml

@@ -59,6 +59,7 @@
 import java.util.logging.Logger;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import groovy.lang.MissingPropertyException;
 import javax.inject.Inject;
 import jenkins.model.Jenkins;
 import jenkins.scm.impl.SingleSCMSource;
@@ -75,6 +76,8 @@
 import org.jenkinsci.plugins.workflow.steps.StepContextParameter;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.DoNotUse;
+import org.kohsuke.groovy.sandbox.GroovyInterceptor;
+import org.kohsuke.groovy.sandbox.impl.Checker;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -270,11 +273,15 @@ public static final class LoadedClasses extends GroovyObjectSupport implements S
             if (clazz != null) {
                 // Field access?
                 try {
-                    // not doing a Whitelist check since GroovyClassLoaderWhitelist would be allowing it anyway
+                    if (isSandboxed()) {
+                        return Checker.checkedGetAttribute(loadClass(prefix + clazz), false, false, property);
+                    }
                     return loadClass(prefix + clazz).getField(property).get(null);
-                } catch (NoSuchFieldException x) {
+                } catch (MissingPropertyException | NoSuchFieldException x) {
                     // guessed wrong
-                } catch (IllegalAccessException x) {
+                } catch (SecurityException x) {
+                    throw x;
+                } catch (Throwable x) {
                     throw new GroovyRuntimeException(x);
                 }
             }
@@ -284,6 +291,8 @@ public static final class LoadedClasses extends GroovyObjectSupport implements S
                 loadClass(prefix + fullClazz);
                 // OK, class really exists, stash it and await methods
                 return new LoadedClasses(library, trusted, changelog, prefix, fullClazz, srcUrl);
+            } else if (clazz != null) {
+                throw new MissingPropertyException(property, loadClass(prefix + clazz));
             } else {
                 // Still selecting package components.
                 return new LoadedClasses(library, trusted, changelog, prefix + property + '.', null, srcUrl);
@@ -293,13 +302,43 @@ public static final class LoadedClasses extends GroovyObjectSupport implements S
         @Override public Object invokeMethod(String name, Object _args) {
             Class<?> c = loadClass(prefix + clazz);
             Object[] args = _args instanceof Object[] ? (Object[]) _args : new Object[] {_args}; // TODO why does Groovy not just pass an Object[] to begin with?!
+            if (isSandboxed()) {
+                try {
+                    if (name.equals("new")) {
+                        return Checker.checkedConstructor(c, args);
+                    } else {
+                        return Checker.checkedStaticCall(c, name, args);
+                    }
+                } catch (SecurityException x) {
+                    throw x;
+                } catch (Throwable x) {
+                    throw new GroovyRuntimeException(x);
+                }
+            }
             if (name.equals("new")) {
                 return InvokerHelper.invokeConstructorOf(c, args);
             } else {
                 return InvokerHelper.invokeStaticMethod(c, name, args);
             }
         }
 
+        /**
+         * Check whether the current thread has at least one active {@link GroovyInterceptor}.
+         * <p>
+         * Typically, {@code GroovyClassLoaderWhitelist} will allow access to everything defined in a class in a
+         * library, but there are some synthetic constructors, fields, and methods which should not be accessible.
+         * <p>
+         * As a result, when getting properties or invoking methods using this class, we need to apply sandbox
+         * protection if the Pipeline code performing the operation is sandbox-transformed. Unfortunately, it is
+         * difficult to detect that case specifically, so we instead intercept all calls if the Pipeline itself is
+         * sandboxed. This results in a false positive {@code RejectedAccessException} being thrown if a trusted
+         * library uses the {@code library} step and tries to access static fields or methods that are not permitted to
+         * be used in the sandbox.
+         */
+        private static boolean isSandboxed() {
+            return !GroovyInterceptor.getApplicableInterceptors().isEmpty();
+        }
+
         // TODO putProperty for static field set
 
         private Class<?> loadClass(String name) {