search

jenkinsci / groovy-sandbox

(Deprecated) Compile-time transformer to run Groovy code in a restrictive sandbox
MIT License
122 stars 60 forks source link

added getter/setter for SandboxTransformer properties #61

Closed dalbrx closed 4 years ago

dalbrx commented 4 years ago

After upgrading from 1.6 we noticed that it's not possible anymore to set the SandboxTransformer properties this change introduces getters and setters for them.

dwnusbaum commented 4 years ago

@dalbrx I think that if you disable any of these, other than maybe attribute interception, code in the sandbox can disable all protections, so I am not sure why these properties even exist in the first place. I think they should all be deleted.

For example, interception of 'abc'.chars is controlled by interceptProperty, and interception of def a = [1]; a['toString'] is controlled by interceptArray, but both of these types of syntax allow method calls that can disable the sandbox. As far as I know, you must intercept everything for the sandbox to actually work as a sandbox.

dwnusbaum commented 4 years ago

@dalbrx I am going to go ahead and close this issue for the reasons mentioned above, but let me know if you have any questions or comments.