Cache GroovySourceFileAllowlist responses and remove entries from the default allowlist that are unrelated to WithScriptDescriptor.WithScriptAllowlist
#829
Conversation
GroovySourceFileAllowlist can be consulted many times, but the allowed files are effectively static and just depend on which plugins are installed. Once a file has been allowed once, we don't need to check all of the allowlists again.
…tDescriptor.WithScriptAllowlist
| @@ -152,6 +148,22 @@ private static boolean endsWithIgnoreCase(String value, String suffix) { | |||
| } | |||
| } | |||
|
|
|||
| @Extension | |||
| public static class AllowedGroovyResourcesCache { | |||
| private final Map<String, Boolean> cache = new ConcurrentHashMap<>(); | |||
There was a problem hiding this comment.
At most there would be around 50 entries in the map if you used every single plugin that has Groovy source files, so I don't think we need anything fancy.
There was a problem hiding this comment.
Actually IDK if that's right, let me see if we get here with Groovy's speculative class loading as well.
There was a problem hiding this comment.
Never mind, we do really only get here for the weird Groovy DSL script files in Jenkins plugins or other attempts to directly load Groovy source files on the classpath. I guess that is obvious in hindsight, otherwise we would see a ton of log spam for otherwise non-existent classes.
(SandboxResolvingClassLoader in script-security on the other hand does see a bunch of class loading attempts for random non-existent classes, but I guess that has to do with overriding loadClass, which we do not do here.)
| /org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/AnyScript.groovy | ||
| /org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelScript.groovy | ||
| /org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/NoneScript.groovy | ||
| /org/jenkinsci/plugins/pipeline/modeldefinition/when/impl/AbstractChangelogConditionalScript.groovy |
| # pipeline-model-extensions | ||
| /org/jenkinsci/plugins/pipeline/modeldefinition/agent/CheckoutScript.groovy |
| @@ -1,10 +1,8 @@ | |||
| # This list is ordered from most popular to least popular plugin to minimize performance impact. | |||
| # pipeline-model-definition | |||
| /org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy | |||
| # docker-workflow | ||
| /org/jenkinsci/plugins/docker/workflow/Docker.groovy | ||
| /org/jenkinsci/plugins/docker/workflow/declarative/AbstractDockerPipelineScript.groovy |
| # docker-workflow | ||
| /org/jenkinsci/plugins/docker/workflow/Docker.groovy |
plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java
Outdated
Show resolved
Hide resolved
…ovyResourcesCache
| @@ -152,6 +148,27 @@ private static boolean endsWithIgnoreCase(String value, String suffix) { | |||
| } | |||
| } | |||
|
|
|||
| @Extension | |||
| @SuppressFBWarnings(value = "NP_BOOLEAN_RETURN_NULL", justification = "intentionally not caching negative results") | |||
There was a problem hiding this comment.
Not sure why, but this annotation actually does have to be on the class. If it's on the isAllowed method, SpotBugs still complains.
plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java
Show resolved
Hide resolved
See #538 (comment).
GroovySourceFileAllowlistcan be consulted many times, but the allowed files are effectively static and just depend on which plugins are installed. Once a file has been allowed once, we don't need to check all of the allowlists again.Testing done
Submitter checklist