32fe0d687948c66164ce245c8d3c1386da777219,src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java,SandboxInterceptor,onGetProperty,#GroovyInterceptor.Invoker#Object#String#,143
Before Change
return super.onGetProperty(invoker, receiver, property);
}
Field f = GroovyCallSiteSelector.field(receiver, property);
if (f != null && whitelist.permitsFieldGet(f, receiver)) {
return super.onGetProperty(invoker, receiver, property);
}
Object[] args0 = new Object[] {};
String getter = "get" + Functions.capitalize(property);
Method m = GroovyCallSiteSelector.method(receiver, getter, args0);
if (m != null && whitelist.permitsMethod(m, receiver, args0)) {
return super.onGetProperty(invoker, receiver, property);
}
Object[] args1 = new Object[] {property};
Method m2 = GroovyCallSiteSelector.method(receiver, "getProperty", args1);
if (m2 != null && whitelist.permitsMethod(m2, receiver, args1)) {
return super.onGetProperty(invoker, receiver, property);
}
Field f2 = null;
After Change
throw rejector != null ? rejector.reject() : unclassifiedField(receiver, property);
}
@Override public Object onGetProperty(GroovyInterceptor.Invoker invoker, final Object receiver, final String property) throws Throwable {
MissingPropertyException mpe = null;
if (receiver instanceof Script) { // SimpleTemplateEngine "out" variable, and anything else added in a binding
try {
((Script) receiver).getBinding().getVariable(property); // do not let it go to Script.super.getProperty
return super.onGetProperty(invoker, receiver, property);
} catch (MissingPropertyException x) {
mpe = x; // throw only if we are not whitelisted
}
}
if (property.equals("length") && receiver.getClass().isArray()) {
return super.onGetProperty(invoker, receiver, property);
}
Rejector rejector = null;
// TODO Groovy seems to prefer a getter to a field (regardless of access modifier)
final Field instanceField = GroovyCallSiteSelector.field(receiver, property);
if (instanceField != null) {
if (whitelist.permitsFieldGet(instanceField, receiver)) {
return super.onGetProperty(invoker, receiver, property);
} else /* if (rejector == null) */ {
rejector = new Rejector() {
@Override public RejectedAccessException reject() {
return StaticWhitelist.rejectField(instanceField);
}
};
}
}
Object[] noArgs = new Object[] {};
String getter = "get" + Functions.capitalize(property);
final Method getterMethod = GroovyCallSiteSelector.method(receiver, getter, noArgs);
if (getterMethod != null) {
if (whitelist.permitsMethod(getterMethod, receiver, noArgs)) {
return super.onGetProperty(invoker, receiver, property);
} else if (rejector == null) {
rejector = new Rejector() {
@Override public RejectedAccessException reject() {
return StaticWhitelist.rejectMethod(getterMethod);
}
};
}
}
// GroovyObject property access
Object[] propertyArg = new Object[] {property};
final Method getPropertyMethod = GroovyCallSiteSelector.method(receiver, "getProperty", propertyArg);
if (getPropertyMethod != null) {
if (whitelist.permitsMethod(getPropertyMethod, receiver, propertyArg)) {
return super.onGetProperty(invoker, receiver, property);
} else if (rejector == null) {
rejector = new Rejector() {
@Override public RejectedAccessException reject() {
return StaticWhitelist.rejectMethod(getPropertyMethod, receiver.getClass().getName() + "." + property);
}
};
}
}
if (receiver instanceof Class) {
final Field staticField = GroovyCallSiteSelector.staticField((Class) receiver, property);
if (staticField != null) {
if (whitelist.permitsStaticFieldGet(staticField)) {
return super.onGetProperty(invoker, receiver, property);
} else if (rejector == null) {
rejector = new Rejector() {
@Override public RejectedAccessException reject() {
return StaticWhitelist.rejectStaticField(staticField);
}
};
}
}
final Method staticGetterMethod = GroovyCallSiteSelector.staticMethod((Class) receiver, getter, noArgs);
if (staticGetterMethod != null) {
if (whitelist.permitsStaticMethod(staticGetterMethod, noArgs)) {
return super.onGetProperty(invoker, receiver, property);
} else if (rejector == null) {
rejector = new Rejector() {
@Override public RejectedAccessException reject() {
return StaticWhitelist.rejectStaticMethod(staticGetterMethod);
}
};
}
}
}
if (mpe != null) {
throw mpe;
}
throw rejector != null ? rejector.reject() : unclassifiedField(receiver, property);
}
private static RejectedAccessException unclassifiedField(Object receiver, String property) {