MetaClass delegate handling #49
Conversation
Does no ACL check, but generally safe, since most AuthorizationStrategy’s only let you see a child if you can see its parent first.
| @@ -2,6 +2,7 @@ | |||
| new hudson.EnvVars | |||
| method hudson.model.AbstractBuild getEnvironments | |||
| staticMethod hudson.model.Environment create hudson.EnvVars | |||
| method hudson.model.Item getParent | |||
There was a problem hiding this comment.
Not really related but came up as a desired whitelist entry in the same context.
|
This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation. |
|
IIUC, this allows any closure invocation, such as those obtained via method pointer operation. Is this safe? Looking at the test case, it seems like this case should be checked against 🐝 so as not to block Jesse in case I got it all wrong. |
|
Thank you for this pull request! Please check this document for how the Jenkins project handles pull requests. |
|
I could check whether it applies also to method pointers. I am not too concerned even if it does, since |
|
I think I confused myself with earlier question about allowing any closure invocation, so I take that back. |
…e continue to be checked at point of call.
|
🐝 |
|
I consider my previous 🐝 standing, but here's another one because process!! 🐝 |
Found that a trick used to bind synthetic methods to existing classes was being rejected by the sandbox. Here it is assumed that the closure itself is implicitly whitelisted;
Whitelistdoes not have any mechanism for listing non-Java “methods” like this.@reviewbybees esp. @kohsuke