fixed Groovy sandbox bypass via constructor invocation

[FIXES SECURITY-1342]

Author: daspilker

docs/Home.md

@@ -32,6 +32,8 @@ Browse the Jenkins issue tracker to see any [open issues](https://issues.jenkins
   * Increased the minimum supported Jenkins version to 2.121
   * Replaced built-in support for periodic folder trigger, see [Migration](Migration#migrating-to-172)
     ([JENKINS-55429](https://issues.jenkins-ci.org/browse/JENKINS-55429))
+  * Fixed Groovy sandbox bypass via constructor invocation
+    ([SECURITY-1342](https://issues.jenkins-ci.org/browse/SECURITY-1342))
   * Removed anything that has been deprecated in 1.70, see [Migration](Migration#migrating-to-170)
   * Removed anything that has been deprecated in 1.69, see [Migration](Migration#migrating-to-169)
   * Removed anything that has been deprecated in 1.68, see [Migration](Migration#migrating-to-168)

job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy

@@ -98,7 +98,7 @@ abstract class AbstractDslScriptLoader<S extends JobParent, G extends GeneratedI
                 logger.println('Processing provided DSL script')
             }
 
-            Script script = groovyShell.parse(createGroovyCodeSource(scriptRequest))
+            Script script = parseScript(groovyShell, createGroovyCodeSource(scriptRequest))
             script.binding = createBinding(scriptRequest)
             script.binding.setVariable('jobFactory', script)
 
@@ -130,6 +130,10 @@ abstract class AbstractDslScriptLoader<S extends JobParent, G extends GeneratedI
         new GroovyCodeSource(scriptRequest.body, scriptRequest.scriptName ?: 'script', DEFAULT_CODE_BASE)
     }
 
+    protected Script parseScript(GroovyShell groovyShell, GroovyCodeSource codeSource) {
+        groovyShell.parse(codeSource)
+    }
+
     protected void runScript(Script script) {
         script.run()
     }

job-dsl-plugin/build.gradle

@@ -16,6 +16,16 @@ plugins {
 
 description = 'Jenkins plugin to leverage job-dsl-core to programmatic create jobs from inside Jenkins.'
 
+repositories {
+    maven {
+        credentials {
+            username "$artifactoryUsername"
+            password "$artifactoryPassword"
+        }
+        url('https://repo.jenkins-ci.org/security1336-staging')
+    }
+}
+
 // keep the generated sources outside of the build directory, see http://stackoverflow.com/a/21003914/1271460
 def generatedSourcesDir = 'generated'
 
@@ -89,7 +99,7 @@ dependencies {
         exclude group: 'org.jvnet.hudson', module:'xstream'
     }
     jenkinsPlugins 'org.jenkins-ci.plugins:structs:1.13'
-    jenkinsPlugins 'org.jenkins-ci.plugins:script-security:1.25'
+    jenkinsPlugins 'org.jenkins-ci.plugins:script-security:1.54'
     optionalJenkinsPlugins('org.jenkins-ci.plugins:vsphere-cloud:1.1.11') {
         exclude group: 'dom4j'
     }

job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy

@@ -6,6 +6,7 @@ import javaposse.jobdsl.plugin.structs.DescribableContext
 import javaposse.jobdsl.plugin.structs.DescribableListContext
 import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.AbstractWhitelist
 
+import java.lang.reflect.Constructor
 import java.lang.reflect.Method
 
 /**
@@ -17,6 +18,11 @@ class JobDslWhitelist extends AbstractWhitelist {
             AbstractExtensibleContext, DescribableContext, DescribableListContext
     ]
 
+    @Override
+    boolean permitsConstructor(Constructor<?> constructor, Object[] args) {
+        constructor.declaringClass == JenkinsJobParent
+    }
+
     @Override
     boolean permitsMethod(Method method, Object receiver, Object[] args) {
         Context.isAssignableFrom(method.declaringClass) ||

job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy

@@ -10,11 +10,14 @@ import org.acegisecurity.AccessDeniedException
 import org.codehaus.groovy.control.CompilerConfiguration
 import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException
 import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist
+import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.ClassLoaderWhitelist
 import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox
 import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist
 import org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext
 import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval
 
+import java.util.concurrent.Callable
+
 class SandboxDslScriptLoader extends SecureDslScriptLoader {
     private final Item seedJob
 
@@ -41,24 +44,49 @@ class SandboxDslScriptLoader extends SecureDslScriptLoader {
     }
 
     @Override
-    protected void runScript(Script script) {
+    protected JenkinsJobParent runScriptEngine(ScriptRequest scriptRequest, GroovyShell groovyShell) {
         if (ACL.SYSTEM == Jenkins.authentication) {
             // the build must run as an actual user
             throw new AccessDeniedException(Messages.SandboxDslScriptLoader_NotAuthenticated())
         }
 
         try {
-            GroovySandbox.run(script, new ProxyWhitelist(Whitelist.all(), new JobDslWhitelist()))
+            return super.runScriptEngine(scriptRequest, groovyShell)
         } catch (RejectedAccessException e) {
             ScriptApproval.get().accessRejected(e, ApprovalContext.create().withItem(seedJob))
             throw new DslException(e.message, e)
         }
     }
 
+    @Override
+    protected Script parseScript(GroovyShell groovyShell, GroovyCodeSource codeSource) {
+        GroovySandbox.runInSandbox(new Callable<Script>() {
+            @Override
+            Script call() throws Exception {
+                groovyShell.parse(codeSource)
+            }
+        }, createWhitelist())
+    }
+
+    @Override
+    protected void runScript(Script script) {
+        GroovySandbox.runInSandbox(new Callable<Object>() {
+            @Override
+            Object call() throws Exception {
+                script.run()
+            }
+        }, new ProxyWhitelist(new ClassLoaderWhitelist(script.class.classLoader), createWhitelist()))
+    }
+
+    @Override
     protected boolean isGroovyShellCacheEnabled() {
         false
     }
 
+    private static ProxyWhitelist createWhitelist() {
+        new ProxyWhitelist(Whitelist.all(), new JobDslWhitelist())
+    }
+
     private static class WorkspaceClassLoader extends URLClassLoader {
         private final Item seedJob
 

job-dsl-plugin/src/test/groovy/javaposse/jobdsl/plugin/ExecuteDslScriptsSpec.groovy

@@ -1486,6 +1486,25 @@ folder('folder-a/folder-b') {
         ScriptApproval.get().pendingSignatures*.signature == ['staticMethod java.lang.System exit int']
     }
 
+    def 'run script in sandbox with no-arg constructor'() {
+        setup:
+        String script = this.class.getResourceAsStream('security1342.groovy').text
+
+        jenkinsRule.instance.securityRealm = jenkinsRule.createDummySecurityRealm()
+        jenkinsRule.instance.authorizationStrategy = new MockAuthorizationStrategy()
+                .grant(Jenkins.ADMINISTER).everywhere().to('admin')
+        FreeStyleProject job = jenkinsRule.createFreeStyleProject('seed')
+        job.buildersList.add(new ExecuteDslScripts(scriptText: script, sandbox: true))
+        setupQIA('admin', job)
+
+        when:
+        FreeStyleBuild build = job.scheduleBuild2(0).get()
+
+        then:
+        build.result == FAILURE
+        ScriptApproval.get().pendingSignatures*.signature == ['new java.io.File java.lang.String']
+    }
+
     def 'run script in sandbox with import from workspace'() {
         setup:
         String script = 'import Helper\njob(Helper.computeName()) { description("foo") }'

job-dsl-plugin/src/test/resources/javaposse/jobdsl/plugin/security1342.groovy

@@ -0,0 +1,10 @@
+package javaposse.jobdsl.plugin
+
+class Foo extends JenkinsJobParent {
+    Foo() { new File("test") }
+
+    @Override
+    Object run() {
+        return null
+    }
+}