Merge pull request #828 from dwnusbaum/revert-default-allowlist-cleanup

Revert "Merge pull request #538 from dwnusbaum/post-SECURITY-359"

Author: jglick

plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java

@@ -29,13 +29,15 @@
 import hudson.Extension;
 import hudson.ExtensionList;
 import hudson.ExtensionPoint;
+import hudson.Main;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
@@ -186,6 +188,15 @@ public DefaultAllowlist() throws IOException {
                 }
             }
             loadDefaultAllowlist(ALLOWED_SOURCE_FILES);
+            // Some plugins use test-specific Groovy DSLs.
+            if (Main.isUnitTest) {
+                ALLOWED_SOURCE_FILES.addAll(List.of(
+                        // pipeline-model-definition
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelAndOtherFieldAgentScript.groovy",
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStageNameTestConditionalScript.groovy",
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStepCountTestConditionalScript.groovy"
+                ));
+            }
         }
 
         private static void loadDefaultAllowlist(List<String> allowlist) throws IOException {

plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist/default-allowlist

@@ -1,4 +1,34 @@
 # This list is ordered from most popular to least popular plugin to minimize performance impact.
+# pipeline-model-definition
+/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/AnyScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/NoneScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AbstractChangelogConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AllOfConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AnyOfConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/BranchConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeLogConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeRequestConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeSetConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/EnvironmentConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/EqualsConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ExpressionConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/IsRestartedRunConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/NotConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/TagConditionalScript.groovy
+/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/TriggeredByConditionalScript.groovy
+# pipeline-model-extensions
+/org/jenkinsci/plugins/pipeline/modeldefinition/agent/CheckoutScript.groovy
+# docker-workflow
+/org/jenkinsci/plugins/docker/workflow/Docker.groovy
+/org/jenkinsci/plugins/docker/workflow/declarative/AbstractDockerPipelineScript.groovy
+/org/jenkinsci/plugins/docker/workflow/declarative/DockerPipelineFromDockerfileScript.groovy
+/org/jenkinsci/plugins/docker/workflow/declarative/DockerPipelineScript.groovy
+# kubernetes
+/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesDeclarativeAgentScript.groovy
+# amazon-ecs
+/com/cloudbees/jenkins/plugins/amazonecs/pipeline/ECSDeclarativeAgentScript.groovy
 # workflow-remote-loader:
 /org/jenkinsci/plugins/workflow/remoteloader/FileLoaderDSL/FileLoaderDSLImpl.groovy
 # confluence-publisher