Merge pull request #256 from dwnusbaum/post-SECURITY-359

dwnusbaum · web-flow · commit c727e97b88dc · 2022-06-20T14:37:32.000-04:00
Use GroovySourceFileAllowlist to adapt to SECURITY-359 changes
diff --git a/pom.xml b/pom.xml
@@ -31,9 +31,9 @@
     <properties>
         <revision>1.29</revision>
         <changelist>-SNAPSHOT</changelist>
-        <jenkins.version>2.222.4</jenkins.version>
+        <jenkins.version>2.332.1</jenkins.version>
         <java.level>8</java.level>
-        <pipeline-model-definition-plugin.version>1.8.1</pipeline-model-definition-plugin.version>
+        <pipeline-model-definition-plugin.version>2.2097.v33db_b_de764b_e</pipeline-model-definition-plugin.version> <!-- TODO: Delete this and related dependencyManagement entries once this version is included in BOM -->
     </properties>
     <repositories>
         <repository>
@@ -51,12 +51,26 @@
         <dependencies>
             <dependency>
                 <groupId>io.jenkins.tools.bom</groupId>
-                <artifactId>bom-2.222.x</artifactId>
-                <version>887.vae9c8ac09ff7</version>
+                <artifactId>bom-2.332.x</artifactId>
+                <version>1409.v7659b_c072f18</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
-
+            <dependency>
+                <groupId>org.jenkinsci.plugins</groupId>
+                <artifactId>pipeline-model-api</artifactId>
+                <version>${pipeline-model-definition-plugin.version}</version>
+            </dependency>
+             <dependency>
+                <groupId>org.jenkinsci.plugins</groupId>
+                <artifactId>pipeline-model-extensions</artifactId>
+                <version>${pipeline-model-definition-plugin.version}</version>
+            </dependency>
+             <dependency>
+                <groupId>org.jenkinsci.plugins</groupId>
+                <artifactId>pipeline-stage-tags-metadata</artifactId>
+                <version>${pipeline-model-definition-plugin.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <dependencies>
@@ -116,12 +130,12 @@
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>config-file-provider</artifactId>
-            <version>2.10.1</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.jenkinsci.plugins</groupId>
             <artifactId>pipeline-model-definition</artifactId>
+            <version>${pipeline-model-definition-plugin.version}</version>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
@@ -143,6 +157,7 @@
         <dependency>
             <groupId>org.jenkinsci.plugins</groupId>
             <artifactId>pipeline-model-definition</artifactId>
+            <version>${pipeline-model-definition-plugin.version}</version>
             <classifier>tests</classifier>
             <scope>test</scope>
         </dependency>
diff --git a/src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java b/src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java
@@ -28,6 +28,7 @@
 import hudson.Extension;
 import org.jenkinsci.plugins.workflow.cps.CpsScript;
 import org.jenkinsci.plugins.workflow.cps.GlobalVariable;
+import org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist;
 
 /**
  * Something you should <strong>not copy</strong>. Write plain old {@code Step}s and leave it at that.
@@ -53,4 +54,13 @@
         return docker;
     }
 
+    @Extension
+    public static class DockerDSLAllowlist extends GroovySourceFileAllowlist {
+        private final String scriptUrl = DockerDSL.class.getResource("Docker.groovy").toString();
+
+        @Override
+        public boolean isAllowed(String groovyResourceUrl) {
+            return groovyResourceUrl.equals(scriptUrl);
+        }
+    }
 }
diff --git a/src/main/java/org/jenkinsci/plugins/docker/workflow/declarative/AbstractDockerAgent.java b/src/main/java/org/jenkinsci/plugins/docker/workflow/declarative/AbstractDockerAgent.java
@@ -28,8 +28,10 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
+import hudson.Extension;
 import org.jenkinsci.plugins.pipeline.modeldefinition.agent.DeclarativeAgent;
 import org.jenkinsci.plugins.pipeline.modeldefinition.options.DeclarativeOption;
+import org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist;
 import org.kohsuke.stapler.DataBoundSetter;
 
 public abstract class AbstractDockerAgent<D extends AbstractDockerAgent<D>> extends DeclarativeAgent<D> {
@@ -123,4 +125,18 @@ public boolean reuseRootAgent(Map<String, DeclarativeOption> options) {
         return options.get(ContainerPerStage.SYMBOL) != null;
     }
 
+    /**
+     * AbstractDockerPipelineScript.groovy is a superclass of the Groovy scripts for subclasses of
+     * {@link AbstractDockerAgent}, but does not have any direct equivalent Java class, so we just allow it here.
+     */
+    @Extension
+    public static class ChangelogConditionalScriptAllowlist extends GroovySourceFileAllowlist {
+        private final String scriptUrl = AbstractDockerAgent.class.getResource("AbstractDockerPipelineScript.groovy").toString();
+
+        @Override
+        public boolean isAllowed(String groovyResourceUrl) {
+            return groovyResourceUrl.equals(scriptUrl);
+        }
+    }
+
 }
diff --git a/src/test/java/org/jenkinsci/plugins/docker/workflow/FromFingerprintStepTest.java b/src/test/java/org/jenkinsci/plugins/docker/workflow/FromFingerprintStepTest.java
@@ -54,9 +54,11 @@ public class FromFingerprintStepTest {
         String script = "node {\n" +
             "  sh 'mkdir buildWithFROMArgs'\n" +
             "  writeFile file: 'Dockerfile', text: '" + dockerFile + "'\n" +
+            "  withEnv(['DOCKER_BUILDKIT=0']) {\n" +
             "  def built = docker.build('my-tag') \n" +
             "  dockerFingerprintFrom dockerfile: 'Dockerfile', image: 'my-tag' \n" +
             "  echo \"built ${built.id}\"\n" +
+            "  }\n" +
             "}";
 
         assertBuild("build", script, BUSYBOX_IMAGE);
diff --git a/src/test/resources/org/jenkinsci/plugins/docker/workflow/declarative/dockerPullLocalImage.groovy b/src/test/resources/org/jenkinsci/plugins/docker/workflow/declarative/dockerPullLocalImage.groovy
@@ -27,13 +27,13 @@ pipeline {
     stages {
         stage("build image") {
             steps {
-                sh 'docker build -t maven:3-alpine .'
+                sh 'docker build -t maven:3-jdk-8-slim .'
             }
         }
         stage("in built image") {
             agent {
                 docker {
-                    image "maven:3-alpine"
+                    image "maven:3-jdk-8-slim"
                     args "-v /tmp:/tmp"
                     reuseNode true
                 }
@@ -46,7 +46,7 @@ pipeline {
         stage("in pulled image") {
             agent {
                 docker {
-                    image "maven:3-alpine"
+                    image "maven:3-jdk-8-slim"
                     alwaysPull true
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -27,13 +27,13 @@ pipeline {`
`27`	`27`	`stages {`
`28`	`28`	`stage("build image") {`
`29`	`29`	`steps {`
`30`		`- sh 'docker build -t maven:3-alpine .'`
	`30`	`+ sh 'docker build -t maven:3-jdk-8-slim .'`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`	`stage("in built image") {`
`34`	`34`	`agent {`
`35`	`35`	`docker {`
`36`		`- image "maven:3-alpine"`
	`36`	`+ image "maven:3-jdk-8-slim"`
`37`	`37`	`args "-v /tmp:/tmp"`
`38`	`38`	`reuseNode true`
`39`	`39`	`}`
`@@ -46,7 +46,7 @@ pipeline {`
`46`	`46`	`stage("in pulled image") {`
`47`	`47`	`agent {`
`48`	`48`	`docker {`
`49`		`- image "maven:3-alpine"`
	`49`	`+ image "maven:3-jdk-8-slim"`
`50`	`50`	`alwaysPull true`
`51`	`51`	`}`
`52`	`52`	`}`