32fe0d687948c66164ce245c8d3c1386da777219,src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java,SandboxInterceptor,onGetProperty,#GroovyInterceptor.Invoker#Object#String#,143

Before Change


            return super.onGetProperty(invoker, receiver, property);
        }
        Field f = GroovyCallSiteSelector.field(receiver, property);
        if (f != null && whitelist.permitsFieldGet(f, receiver)) {
            return super.onGetProperty(invoker, receiver, property);
        }
        Object[] args0 = new Object[] {};
        String getter = "get" + Functions.capitalize(property);
        Method m = GroovyCallSiteSelector.method(receiver, getter, args0);
        if (m != null && whitelist.permitsMethod(m, receiver, args0)) {
            return super.onGetProperty(invoker, receiver, property);
        }
        Object[] args1 = new Object[] {property};
        Method m2 = GroovyCallSiteSelector.method(receiver, "getProperty", args1);
        if (m2 != null && whitelist.permitsMethod(m2, receiver, args1)) {
            return super.onGetProperty(invoker, receiver, property);
        }
        Field f2 = null;

After Change


        throw rejector != null ? rejector.reject() : unclassifiedField(receiver, property);
    }

    @Override public Object onGetProperty(GroovyInterceptor.Invoker invoker, final Object receiver, final String property) throws Throwable {
        MissingPropertyException mpe = null;
        if (receiver instanceof Script) { // SimpleTemplateEngine "out" variable, and anything else added in a binding
            try {
                ((Script) receiver).getBinding().getVariable(property); // do not let it go to Script.super.getProperty
                return super.onGetProperty(invoker, receiver, property);
            } catch (MissingPropertyException x) {
                mpe = x; // throw only if we are not whitelisted
            }
        }
        if (property.equals("length") && receiver.getClass().isArray()) {
            return super.onGetProperty(invoker, receiver, property);
        }
        Rejector rejector = null;
        // TODO Groovy seems to prefer a getter to a field (regardless of access modifier)
        final Field instanceField = GroovyCallSiteSelector.field(receiver, property);
        if (instanceField != null) {
            if (whitelist.permitsFieldGet(instanceField, receiver)) {
                return super.onGetProperty(invoker, receiver, property);
            } else /* if (rejector == null) */ {
                rejector = new Rejector() {
                    @Override public RejectedAccessException reject() {
                        return StaticWhitelist.rejectField(instanceField);
                    }
                };
            }
        }
        Object[] noArgs = new Object[] {};
        String getter = "get" + Functions.capitalize(property);
        final Method getterMethod = GroovyCallSiteSelector.method(receiver, getter, noArgs);
        if (getterMethod != null) {
            if (whitelist.permitsMethod(getterMethod, receiver, noArgs)) {
                return super.onGetProperty(invoker, receiver, property);
            } else if (rejector == null) {
                rejector = new Rejector() {
                    @Override public RejectedAccessException reject() {
                        return StaticWhitelist.rejectMethod(getterMethod);
                    }
                };
            }
        }
        // GroovyObject property access
        Object[] propertyArg = new Object[] {property};
        final Method getPropertyMethod = GroovyCallSiteSelector.method(receiver, "getProperty", propertyArg);
        if (getPropertyMethod != null) {
            if (whitelist.permitsMethod(getPropertyMethod, receiver, propertyArg)) {
                return super.onGetProperty(invoker, receiver, property);
            } else if (rejector == null) {
                rejector = new Rejector() {
                    @Override public RejectedAccessException reject() {
                        return StaticWhitelist.rejectMethod(getPropertyMethod, receiver.getClass().getName() + "." + property);
                    }
                };
            }
        }
        if (receiver instanceof Class) {
            final Field staticField = GroovyCallSiteSelector.staticField((Class) receiver, property);
            if (staticField != null) {
                if (whitelist.permitsStaticFieldGet(staticField)) {
                    return super.onGetProperty(invoker, receiver, property);
                } else if (rejector == null) {
                    rejector = new Rejector() {
                        @Override public RejectedAccessException reject() {
                            return StaticWhitelist.rejectStaticField(staticField);
                        }
                    };
                }
            }
            final Method staticGetterMethod = GroovyCallSiteSelector.staticMethod((Class) receiver, getter, noArgs);
            if (staticGetterMethod != null) {
                if (whitelist.permitsStaticMethod(staticGetterMethod, noArgs)) {
                    return super.onGetProperty(invoker, receiver, property);
                } else if (rejector == null) {
                    rejector = new Rejector() {
                        @Override public RejectedAccessException reject() {
                            return StaticWhitelist.rejectStaticMethod(staticGetterMethod);
                        }
                    };
                }
            }
        }
        if (mpe != null) {
            throw mpe;
        }
        throw rejector != null ? rejector.reject() : unclassifiedField(receiver, property);
    }

    private static RejectedAccessException unclassifiedField(Object receiver, String property) {