Merge pull request #538 from dwnusbaum/post-SECURITY-359

jglick · web-flow · commit c43e04d6d68c · 2024-01-03T11:11:43.000-05:00
Remove `default-allowlist` entries for Groovy source files related to Declarative
diff --git a/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java b/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java
@@ -29,15 +29,13 @@
 import hudson.Extension;
 import hudson.ExtensionList;
 import hudson.ExtensionPoint;
-import hudson.Main;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
@@ -188,15 +186,6 @@ public DefaultAllowlist() throws IOException {
                 }
             }
             loadDefaultAllowlist(ALLOWED_SOURCE_FILES);
-            // Some plugins use test-specific Groovy DSLs.
-            if (Main.isUnitTest) {
-                ALLOWED_SOURCE_FILES.addAll(List.of(
-                        // pipeline-model-definition
-                        "/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelAndOtherFieldAgentScript.groovy",
-                        "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStageNameTestConditionalScript.groovy",
-                        "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStepCountTestConditionalScript.groovy"
-                ));
-            }
         }
 
         private static void loadDefaultAllowlist(List<String> allowlist) throws IOException {
diff --git a/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist/default-allowlist b/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist/default-allowlist
@@ -1,34 +1,4 @@
 # This list is ordered from most popular to least popular plugin to minimize performance impact.
-# pipeline-model-definition
-/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/AnyScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/NoneScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AbstractChangelogConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AllOfConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AnyOfConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/BranchConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeLogConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeRequestConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ChangeSetConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/EnvironmentConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/EqualsConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/ExpressionConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/IsRestartedRunConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/NotConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/TagConditionalScript.groovy
-/org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/TriggeredByConditionalScript.groovy
-# pipeline-model-extensions
-/org/jenkinsci/plugins/pipeline/modeldefinition/agent/CheckoutScript.groovy
-# docker-workflow
-/org/jenkinsci/plugins/docker/workflow/Docker.groovy
-/org/jenkinsci/plugins/docker/workflow/declarative/AbstractDockerPipelineScript.groovy
-/org/jenkinsci/plugins/docker/workflow/declarative/DockerPipelineFromDockerfileScript.groovy
-/org/jenkinsci/plugins/docker/workflow/declarative/DockerPipelineScript.groovy
-# kubernetes
-/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesDeclarativeAgentScript.groovy
-# amazon-ecs
-/com/cloudbees/jenkins/plugins/amazonecs/pipeline/ECSDeclarativeAgentScript.groovy
 # workflow-remote-loader:
 /org/jenkinsci/plugins/workflow/remoteloader/FileLoaderDSL/FileLoaderDSLImpl.groovy
 # confluence-publisher
