public final class GroovySandbox extends Object
Modifier and Type | Class and Description |
---|---|
static interface |
GroovySandbox.Scope
Handle for exiting the dynamic scope of the Groovy sandbox.
|
Constructor and Description |
---|
GroovySandbox()
Creates a sandbox with default settings.
|
Modifier and Type | Method and Description |
---|---|
static FormValidation |
checkScriptForCompilationErrors(String script,
groovy.lang.GroovyClassLoader classLoader)
Checks a script for compilation errors in a sandboxed environment, without going all the way to actual class
creation or initialization.
|
static org.codehaus.groovy.control.CompilerConfiguration |
createBaseCompilerConfiguration()
Prepares a compiler configuration that rejects certain AST transformations.
|
static ClassLoader |
createSecureClassLoader(ClassLoader base)
Prepares a classloader for Groovy shell for sandboxing.
|
static org.codehaus.groovy.control.CompilerConfiguration |
createSecureCompilerConfiguration()
Prepares a compiler configuration the sandbox.
|
GroovySandbox.Scope |
enter()
Starts a dynamic scope within which calls will be sandboxed.
|
static Object |
run(groovy.lang.GroovyShell shell,
String script,
Whitelist whitelist)
Deprecated.
|
static Object |
run(groovy.lang.Script script,
Whitelist whitelist)
Deprecated.
|
static <V> V |
runInSandbox(Callable<V> c,
Whitelist whitelist)
Deprecated.
use
enter() |
static void |
runInSandbox(Runnable r,
Whitelist whitelist)
Deprecated.
use
enter() |
Object |
runScript(groovy.lang.GroovyShell shell,
String scriptText)
Compiles and runs a script within the sandbox.
|
GroovySandbox |
withApprovalContext(ApprovalContext context)
Specify an approval context.
|
GroovySandbox |
withTaskListener(TaskListener listener)
Specify a place to print messages.
|
GroovySandbox |
withWhitelist(Whitelist whitelist)
Specify a whitelist.
|
public static final Logger LOGGER
public GroovySandbox withWhitelist(@CheckForNull Whitelist whitelist)
Whitelist.all()
is used.this
public GroovySandbox withApprovalContext(@CheckForNull ApprovalContext context)
ApprovalContext.create()
is used.this
public GroovySandbox withTaskListener(@CheckForNull TaskListener listener)
this
public GroovySandbox.Scope enter()
try
-with-resources blockpublic Object runScript(@NonNull groovy.lang.GroovyShell shell, @NonNull String scriptText)
shell
- the shell to be used; see createSecureCompilerConfiguration()
and similar methodsscriptText
- the script to run@NonNull public static org.codehaus.groovy.control.CompilerConfiguration createSecureCompilerConfiguration()
CAUTION:
When creating GroovyShell
with this CompilerConfiguration
,
you also have to use createSecureClassLoader(ClassLoader)
to wrap
a classloader of your choice into sandbox-aware one.
Otherwise the classloader that you provide to GroovyShell
might
have its own copy of groovy-sandbox, which lets the code escape the sandbox.
@NonNull public static org.codehaus.groovy.control.CompilerConfiguration createBaseCompilerConfiguration()
createSecureCompilerConfiguration()
.@NonNull public static ClassLoader createSecureClassLoader(ClassLoader base)
createSecureCompilerConfiguration()
for the discussion.@Deprecated public static void runInSandbox(@NonNull Runnable r, @NonNull Whitelist whitelist) throws RejectedAccessException
enter()
createSecureCompilerConfiguration()
to prepare the Groovy shell.
Use run(groovy.lang.Script, org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist)
instead whenever possible.r
- a block of code during whose execution all calls are interceptedwhitelist
- the whitelist to use, such as Whitelist.all()
RejectedAccessException
- in case an attempted call was not whitelisted@Deprecated public static <V> V runInSandbox(@NonNull Callable<V> c, @NonNull Whitelist whitelist) throws Exception
enter()
createSecureCompilerConfiguration()
to prepare the Groovy shell.
Use run(groovy.lang.Script, org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist)
instead whenever possible.c
- a block of code during whose execution all calls are interceptedwhitelist
- the whitelist to use, such as Whitelist.all()
RejectedAccessException
- in case an attempted call was not whitelistedException
- in case the block threw some other exception@Deprecated public static Object run(@NonNull groovy.lang.Script script, @NonNull Whitelist whitelist) throws RejectedAccessException
run(GroovyShell, String, Whitelist)
or runScript(groovy.lang.GroovyShell, java.lang.String)
RejectedAccessException
@Deprecated public static Object run(@NonNull groovy.lang.GroovyShell shell, @NonNull String script, @NonNull Whitelist whitelist) throws RejectedAccessException
runScript(groovy.lang.GroovyShell, java.lang.String)
createSecureCompilerConfiguration()
to prepare the Groovy shell.shell
- a shell ready for GroovyShell.parse(String)
script
- a scriptwhitelist
- the whitelist to use, such as Whitelist.all()
RejectedAccessException
- in case an attempted call was not whitelisted@NonNull public static FormValidation checkScriptForCompilationErrors(String script, groovy.lang.GroovyClassLoader classLoader)
script
- The script to checkclassLoader
- The GroovyClassLoader
to use during compilation.FormValidation
for the compilation check.Copyright © 2016–2023. All rights reserved.