Package org.jenkinsci.plugins.scriptsecurity.sandbox.groovy

Class StandardGroovySandbox

java.lang.Object

org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.StandardGroovySandbox

All Implemented Interfaces:

GroovySandbox

public class StandardGroovySandbox
extends Object
implements GroovySandbox

Allows Groovy scripts (including Groovy Templates) to be run inside a sandbox.

Field Summary

Fields

Modifier and Type	Field	Description
static final Logger	LOGGER

Constructor Summary

Constructors

Constructor	Description
StandardGroovySandbox()	Creates a sandbox with default settings.

Method Summary

Modifier and Type	Method	Description
static @NotNull org.codehaus.groovy.control.CompilerConfiguration	createBaseCompilerConfiguration()	Prepares a compiler configuration that rejects certain AST transformations.
static @NotNull ClassLoader	createSecureClassLoader(ClassLoader base)	Prepares a classloader for Groovy shell for sandboxing.
static @NotNull org.codehaus.groovy.control.CompilerConfiguration	createSecureCompilerConfiguration()	Prepares a compiler configuration the sandbox.
SandboxScope	enter()	Starts a dynamic scope within which calls will be sandboxed.
Object	runScript(@NotNull groovy.lang.GroovyShell shell, @NotNull String script)	Compiles and runs a script within the sandbox.
StandardGroovySandbox	withWhitelist(@Nullable Whitelist whitelist)	Specify a whitelist.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox

wrapFunc, wrapRunnable

Field Details

LOGGER

public static final Logger LOGGER

Constructor Details

StandardGroovySandbox

public StandardGroovySandbox()

Creates a sandbox with default settings.

Method Details

withWhitelist

public StandardGroovySandbox withWhitelist(@Nullable
 @Nullable Whitelist whitelist)

Specify a whitelist. By default Whitelist.all() is used.

Returns:

this

enter

public SandboxScope enter()

Starts a dynamic scope within which calls will be sandboxed.

Specified by:

enter in interface GroovySandbox

Returns:

a scope object, useful for putting this into a try-with-resources block

runScript

public Object runScript(@NotNull
 @NotNull groovy.lang.GroovyShell shell,
 @NotNull
 @NotNull String script)

Compiles and runs a script within the sandbox.

Parameters:

shell - the shell to be used; see createSecureCompilerConfiguration() and similar methods

script - the script to run

Returns:

the return value of the script

createSecureCompilerConfiguration

@NotNull
public static @NotNull org.codehaus.groovy.control.CompilerConfiguration createSecureCompilerConfiguration()

Prepares a compiler configuration the sandbox. CAUTION

When creating GroovyShell with this CompilerConfiguration, you also have to use createSecureClassLoader(ClassLoader) to wrap a classloader of your choice into sandbox-aware one.

Otherwise the classloader that you provide to GroovyShell might have its own copy of groovy-sandbox, which lets the code escape the sandbox.

Returns:

a compiler configuration set up to use the sandbox

createBaseCompilerConfiguration

@NotNull
public static @NotNull org.codehaus.groovy.control.CompilerConfiguration createBaseCompilerConfiguration()

Prepares a compiler configuration that rejects certain AST transformations. Used by createSecureCompilerConfiguration().

createSecureClassLoader

@NotNull
public static @NotNull ClassLoader createSecureClassLoader(ClassLoader base)

Prepares a classloader for Groovy shell for sandboxing.

See createSecureCompilerConfiguration() for the discussion.