jenkinsci/groovy-sandbox

State of groovy-2.4.4 branch?

dvsekhvalnov opened this issue · 4 comments

Hi @kohsuke ,

can we ask you what's the status of groovy-2.4.x support right now? We can see there is a dedicated branch but unsure how stable it is and and if you consider it is ready for sandboxing groovy 2.4.

We currently using your awesome sandbox for groovy 1.8 but really would like to upgrade to latest one and may be if there are still open issues which you don't have time to work on we can help to implement?

Thank you.

Note also that groovy-sandbox dependency on org.codehaus.groovy:groovy v1.8.5 is causing threat analysis software (such as Nexus Repository Manager) to alert on level 7 threat CVE-2015-3253:

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

Edit: Just realized that this issue seems to be a duplicate of #19 (I had forgotten that I had commented there months ago).

Jenkins 2.0 is using Groovy 2 with this sandbox successfully as far as we know.

We too have been using it on Groovy 2.3.x for quite some time (and also on 2.4.x for somewhat less time), seemingly without issues. While I haven't seen functional problems, I am less certain if the sandbox still provides 100% coverage on Groovy 2.x. (For example, could there be changes to the way the AST is represented in 2.x that require additional filtering, but which are not actually filtered by the current code?)

This library is using Groovy 2.x as of #35. The groovy-2.4.4 branch is obsolete.