From a94787d3d17fce507a688c6bd9c31216eb36c556 Mon Sep 17 00:00:00 2001 From: Basil Crow Date: Fri, 31 Dec 2021 10:40:17 -0800 Subject: [PATCH] EOL JSR 305 --- .../sandbox/RejectedAccessException.java | 2 +- .../scriptsecurity/sandbox/Whitelist.java | 20 ++++----- .../groovy/GroovyCallSiteSelector.java | 26 +++++------ .../sandbox/groovy/GroovySandbox.java | 24 +++++----- .../sandbox/groovy/SandboxInterceptor.java | 8 ++-- .../sandbox/groovy/SecureGroovyScript.java | 22 +++++----- .../whitelists/AnnotatedWhitelist.java | 4 +- .../whitelists/EnumeratingWhitelist.java | 24 +++++----- .../sandbox/whitelists/StaticWhitelist.java | 22 +++++----- .../scripts/ApprovalContext.java | 2 +- .../scripts/ClasspathEntry.java | 16 +++---- .../scriptsecurity/scripts/Language.java | 8 ++-- .../scripts/ScriptApproval.java | 44 +++++++++---------- 13 files changed, 111 insertions(+), 111 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java index 0f3b0ade3..893816a47 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java @@ -24,7 +24,7 @@ package org.jenkinsci.plugins.scriptsecurity.sandbox; -import javax.annotation.CheckForNull; +import edu.umd.cs.findbugs.annotations.CheckForNull; import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox; import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist; diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/Whitelist.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/Whitelist.java index 6584fed54..0d06d1a61 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/Whitelist.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/Whitelist.java @@ -34,8 +34,8 @@ import java.util.WeakHashMap; import java.util.logging.Level; import java.util.logging.Logger; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; import jenkins.model.Jenkins; import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox; import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist; @@ -57,25 +57,25 @@ public abstract class Whitelist implements ExtensionPoint { * @param args zero or more arguments * @return true to allow the method to be called, false to reject it */ - public abstract boolean permitsMethod(@Nonnull Method method, @Nonnull Object receiver, @Nonnull Object[] args); + public abstract boolean permitsMethod(@NonNull Method method, @NonNull Object receiver, @NonNull Object[] args); - public abstract boolean permitsConstructor(@Nonnull Constructor constructor, @Nonnull Object[] args); + public abstract boolean permitsConstructor(@NonNull Constructor constructor, @NonNull Object[] args); - public abstract boolean permitsStaticMethod(@Nonnull Method method, @Nonnull Object[] args); + public abstract boolean permitsStaticMethod(@NonNull Method method, @NonNull Object[] args); - public abstract boolean permitsFieldGet(@Nonnull Field field, @Nonnull Object receiver); + public abstract boolean permitsFieldGet(@NonNull Field field, @NonNull Object receiver); - public abstract boolean permitsFieldSet(@Nonnull Field field, @Nonnull Object receiver, @CheckForNull Object value); + public abstract boolean permitsFieldSet(@NonNull Field field, @NonNull Object receiver, @CheckForNull Object value); - public abstract boolean permitsStaticFieldGet(@Nonnull Field field); + public abstract boolean permitsStaticFieldGet(@NonNull Field field); - public abstract boolean permitsStaticFieldSet(@Nonnull Field field, @CheckForNull Object value); + public abstract boolean permitsStaticFieldSet(@NonNull Field field, @CheckForNull Object value); /** * Checks for all whitelists registered as {@link Extension}s and aggregates them. * @return an aggregated default list */ - public static synchronized @Nonnull Whitelist all() { + public static synchronized @NonNull Whitelist all() { Jenkins j = Jenkins.getInstanceOrNull(); if (j == null) { LOGGER.log(Level.WARNING, "No Jenkins.instance", new Throwable("here")); diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java index 271afcb27..6fb700f8e 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java @@ -34,8 +34,8 @@ import java.util.LinkedHashSet; import java.util.Map; import java.util.Set; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; import org.apache.commons.lang.ClassUtils; import org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation; @@ -47,7 +47,7 @@ */ class GroovyCallSiteSelector { - private static boolean matches(@Nonnull Class[] parameterTypes, @Nonnull Object[] parameters, boolean varargs) { + private static boolean matches(@NonNull Class[] parameterTypes, @NonNull Object[] parameters, boolean varargs) { if (varargs) { parameters = parametersForVarargs(parameterTypes, parameters); } @@ -119,7 +119,7 @@ private static Object[] parametersForVarargs(Class[] parameterTypes, Object[] /** * {@link Class#isInstance} extended to handle some important cases of primitive types. */ - private static boolean isInstancePrimitive(@Nonnull Class type, @Nonnull Object instance) { + private static boolean isInstancePrimitive(@NonNull Class type, @NonNull Object instance) { if (type.isInstance(instance)) { return true; } @@ -146,7 +146,7 @@ private static boolean isInstancePrimitive(@Nonnull Class type, @Nonnull Obje * @param method the method name * @param args a set of actual arguments */ - public static @CheckForNull Method method(@Nonnull Object receiver, @Nonnull String method, @Nonnull Object[] args) { + public static @CheckForNull Method method(@NonNull Object receiver, @NonNull String method, @NonNull Object[] args) { Set> types = types(receiver); if (types.contains(GroovyInterceptable.class) && !"invokeMethod".equals(method)) { return method(receiver, "invokeMethod", new Object[]{ method, args }); @@ -166,7 +166,7 @@ private static boolean isInstancePrimitive(@Nonnull Class type, @Nonnull Obje return null; } - public static @CheckForNull Constructor constructor(@Nonnull Class receiver, @Nonnull Object[] args) { + public static @CheckForNull Constructor constructor(@NonNull Class receiver, @NonNull Object[] args) { Constructor[] constructors = receiver.getDeclaredConstructors(); Constructor candidate = null; for (Constructor c : constructors) { @@ -194,11 +194,11 @@ private static boolean isInstancePrimitive(@Nonnull Class type, @Nonnull Obje return null; } - public static @CheckForNull Method staticMethod(@Nonnull Class receiver, @Nonnull String method, @Nonnull Object[] args) { + public static @CheckForNull Method staticMethod(@NonNull Class receiver, @NonNull String method, @NonNull Object[] args) { return findMatchingMethod(receiver, method, args); } - private static Method findMatchingMethod(@Nonnull Class receiver, @Nonnull String method, @Nonnull Object[] args) { + private static Method findMatchingMethod(@NonNull Class receiver, @NonNull String method, @NonNull Object[] args) { Method candidate = null; for (Method m : receiver.getDeclaredMethods()) { @@ -218,7 +218,7 @@ private static Method findMatchingMethod(@Nonnull Class receiver, @Nonnull St /** * Emulates, with some tweaks, {@link org.codehaus.groovy.reflection.ParameterTypes#isVargsMethod(Object[])} */ - private static boolean isVarArgsMethod(@Nonnull Method m, @Nonnull Object[] args) { + private static boolean isVarArgsMethod(@NonNull Method m, @NonNull Object[] args) { if (m.isVarArgs()) { return true; } @@ -247,7 +247,7 @@ private static boolean isVarArgsMethod(@Nonnull Method m, @Nonnull Object[] args return false; } - public static @CheckForNull Field field(@Nonnull Object receiver, @Nonnull String field) { + public static @CheckForNull Field field(@NonNull Object receiver, @NonNull String field) { for (Class c : types(receiver)) { for (Field f : c.getDeclaredFields()) { if (f.getName().equals(field)) { @@ -258,7 +258,7 @@ private static boolean isVarArgsMethod(@Nonnull Method m, @Nonnull Object[] args return null; } - public static @CheckForNull Field staticField(@Nonnull Class receiver, @Nonnull String field) { + public static @CheckForNull Field staticField(@NonNull Class receiver, @NonNull String field) { for (Field f : receiver.getDeclaredFields()) { if (f.getName().equals(field)) { return f; @@ -267,12 +267,12 @@ private static boolean isVarArgsMethod(@Nonnull Method m, @Nonnull Object[] args return null; } - private static Set> types(@Nonnull Object o) { + private static Set> types(@NonNull Object o) { Set> types = new LinkedHashSet>(); visitTypes(types, o.getClass()); return types; } - private static void visitTypes(@Nonnull Set> types, @Nonnull Class c) { + private static void visitTypes(@NonNull Set> types, @NonNull Class c) { Class s = c.getSuperclass(); if (s != null) { visitTypes(types, s); diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java index dc7edba89..58a85dd17 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java @@ -43,8 +43,8 @@ import java.util.concurrent.Callable; import java.util.logging.Level; import java.util.logging.Logger; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; import org.codehaus.groovy.control.CompilationFailedException; import org.codehaus.groovy.control.CompilationUnit; import org.codehaus.groovy.control.CompilerConfiguration; @@ -105,7 +105,7 @@ public GroovySandbox withTaskListener(@CheckForNull TaskListener listener) { return this; } - private @Nonnull Whitelist whitelist() { + private @NonNull Whitelist whitelist() { return whitelist != null ? whitelist : Whitelist.all(); } @@ -153,7 +153,7 @@ public interface Scope extends AutoCloseable { * @param script the script to run * @return the return value of the script */ - public Object runScript(@Nonnull GroovyShell shell, @Nonnull String script) { + public Object runScript(@NonNull GroovyShell shell, @NonNull String script) { GroovySandbox derived = new GroovySandbox(). withApprovalContext(context). withTaskListener(listener). @@ -178,7 +178,7 @@ public Object runScript(@Nonnull GroovyShell shell, @Nonnull String script) { * * @return a compiler configuration set up to use the sandbox */ - public static @Nonnull CompilerConfiguration createSecureCompilerConfiguration() { + public static @NonNull CompilerConfiguration createSecureCompilerConfiguration() { CompilerConfiguration cc = createBaseCompilerConfiguration(); cc.addCompilationCustomizers(new SandboxTransformer()); return cc; @@ -187,7 +187,7 @@ public Object runScript(@Nonnull GroovyShell shell, @Nonnull String script) { /** * Prepares a compiler configuration that rejects certain AST transformations. Used by {@link #createSecureCompilerConfiguration()}. */ - public static @Nonnull CompilerConfiguration createBaseCompilerConfiguration() { + public static @NonNull CompilerConfiguration createBaseCompilerConfiguration() { CompilerConfiguration cc = new CompilerConfiguration(); cc.addCompilationCustomizers(new RejectASTTransformsCustomizer()); cc.setDisabledGlobalASTTransformations(new HashSet<>(Collections.singletonList(GrabAnnotationTransformation.class.getName()))); @@ -200,7 +200,7 @@ public Object runScript(@Nonnull GroovyShell shell, @Nonnull String script) { * See {@link #createSecureCompilerConfiguration()} for the discussion. */ @SuppressFBWarnings(value = "DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED", justification = "Should be managed by the caller.") - public static @Nonnull ClassLoader createSecureClassLoader(ClassLoader base) { + public static @NonNull ClassLoader createSecureClassLoader(ClassLoader base) { return new SandboxResolvingClassLoader(base); } @@ -214,7 +214,7 @@ public Object runScript(@Nonnull GroovyShell shell, @Nonnull String script) { * @deprecated use {@link #enter} */ @Deprecated - public static void runInSandbox(@Nonnull Runnable r, @Nonnull Whitelist whitelist) throws RejectedAccessException { + public static void runInSandbox(@NonNull Runnable r, @NonNull Whitelist whitelist) throws RejectedAccessException { try (Scope scope = new GroovySandbox().withWhitelist(whitelist).enter()) { r.run(); } @@ -232,7 +232,7 @@ public static void runInSandbox(@Nonnull Runnable r, @Nonnull Whitelist whitelis * @deprecated use {@link #enter} */ @Deprecated - public static V runInSandbox(@Nonnull Callable c, @Nonnull Whitelist whitelist) throws Exception { + public static V runInSandbox(@NonNull Callable c, @NonNull Whitelist whitelist) throws Exception { try (Scope scope = new GroovySandbox().withWhitelist(whitelist).enter()) { return c.call(); } @@ -244,7 +244,7 @@ public static V runInSandbox(@Nonnull Callable c, @Nonnull Whitelist whit * @deprecated insecure; use {@link #run(GroovyShell, String, Whitelist)} or {@link #runScript} */ @Deprecated - public static Object run(@Nonnull Script script, @Nonnull final Whitelist whitelist) throws RejectedAccessException { + public static Object run(@NonNull Script script, @NonNull final Whitelist whitelist) throws RejectedAccessException { LOGGER.log(Level.WARNING, null, new IllegalStateException(Messages.GroovySandbox_useOfInsecureRunOverload())); Whitelist wrapperWhitelist = new ProxyWhitelist( new ClassLoaderWhitelist(script.getClass().getClassLoader()), @@ -265,7 +265,7 @@ public static Object run(@Nonnull Script script, @Nonnull final Whitelist whitel * @deprecated use {@link #runScript} */ @Deprecated - public static Object run(@Nonnull final GroovyShell shell, @Nonnull final String script, @Nonnull final Whitelist whitelist) throws RejectedAccessException { + public static Object run(@NonNull final GroovyShell shell, @NonNull final String script, @NonNull final Whitelist whitelist) throws RejectedAccessException { return new GroovySandbox().withWhitelist(whitelist).runScript(shell, script); } @@ -276,7 +276,7 @@ public static Object run(@Nonnull final GroovyShell shell, @Nonnull final String * @param classLoader The {@link GroovyClassLoader} to use during compilation. * @return The {@link FormValidation} for the compilation check. */ - public static @Nonnull FormValidation checkScriptForCompilationErrors(String script, GroovyClassLoader classLoader) { + public static @NonNull FormValidation checkScriptForCompilationErrors(String script, GroovyClassLoader classLoader) { try { CompilationUnit cu = new CompilationUnit( createSecureCompilerConfiguration(), diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java index e8a32a971..e48a3248a 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java @@ -41,8 +41,8 @@ import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; import org.codehaus.groovy.runtime.DateGroovyMethods; import org.codehaus.groovy.runtime.DefaultGroovyMethods; import org.codehaus.groovy.runtime.EncodingGroovyMethods; @@ -428,7 +428,7 @@ private static RejectedAccessException unclassifiedField(Object receiver, String // TODO Java 8: @FunctionalInterface private interface Rejector { - @Nonnull RejectedAccessException reject(); + @NonNull RejectedAccessException reject(); } @Override public Object onGetAttribute(Invoker invoker, Object receiver, String attribute) throws Throwable { @@ -516,7 +516,7 @@ private static String printArgumentTypes(Object[] args) { return b.toString(); } - private static @CheckForNull MetaMethod findMetaMethod(@Nonnull Object receiver, @Nonnull String method, @Nonnull Object[] args) { + private static @CheckForNull MetaMethod findMetaMethod(@NonNull Object receiver, @NonNull String method, @NonNull Object[] args) { Class[] types = new Class[args.length]; for (int i = 0; i < types.length; i++) { Object arg = args[i]; diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java index 3ad01db41..5f99cd1bb 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java @@ -55,8 +55,8 @@ import java.util.concurrent.ConcurrentMap; import java.util.logging.Level; import java.util.logging.Logger; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; import jenkins.model.Jenkins; import org.codehaus.groovy.control.CompilationUnit; import org.codehaus.groovy.control.CompilerConfiguration; @@ -83,20 +83,20 @@ public final class SecureGroovyScript extends AbstractDescribableImpl implements Serializable { private static final long serialVersionUID = -4347442065624787928L; - private final @Nonnull String script; + private final @NonNull String script; private final boolean sandbox; private final @CheckForNull List classpath; private transient boolean calledConfiguring; static final Logger LOGGER = Logger.getLogger(SecureGroovyScript.class.getName()); - @DataBoundConstructor public SecureGroovyScript(@Nonnull String script, boolean sandbox, @CheckForNull List classpath) { + @DataBoundConstructor public SecureGroovyScript(@NonNull String script, boolean sandbox, @CheckForNull List classpath) { this.script = script; this.sandbox = sandbox; this.classpath = classpath; } - @Deprecated public SecureGroovyScript(@Nonnull String script, boolean sandbox) { + @Deprecated public SecureGroovyScript(@NonNull String script, boolean sandbox) { this(script, sandbox, null); } @@ -105,7 +105,7 @@ private Object readResolve() { return this; } - public @Nonnull String getScript() { + public @NonNull String getScript() { return script; } @@ -113,7 +113,7 @@ public boolean isSandbox() { return sandbox; } - public @Nonnull List getClasspath() { + public @NonNull List getClasspath() { return classpath != null ? classpath : Collections.emptyList(); } @@ -196,7 +196,7 @@ private static void cleanUpClass(Class clazz, Set encounteredLoa // TODO copied with modifications from CpsFlowExecution; need to find a way to share commonalities - private static void cleanUpGlobalClassValue(@Nonnull ClassLoader loader) throws Exception { + private static void cleanUpGlobalClassValue(@NonNull ClassLoader loader) throws Exception { Class classInfoC = Class.forName("org.codehaus.groovy.reflection.ClassInfo"); // TODO switch to MethodHandle for speed Field globalClassValueF = classInfoC.getDeclaredField("globalClassValue"); @@ -247,7 +247,7 @@ private static void cleanUpGlobalClassValue(@Nonnull ClassLoader loader) throws } } - private static void cleanUpGlobalClassSet(@Nonnull Class clazz) throws Exception { + private static void cleanUpGlobalClassSet(@NonNull Class clazz) throws Exception { Class classInfoC = Class.forName("org.codehaus.groovy.reflection.ClassInfo"); // or just ClassInfo.class, but unclear whether this will always be there Field globalClassSetF = classInfoC.getDeclaredField("globalClassSet"); globalClassSetF.setAccessible(true); @@ -279,7 +279,7 @@ private static void cleanUpGlobalClassSet(@Nonnull Class clazz) throws Except } } - private static void cleanUpClassHelperCache(@Nonnull Class clazz) throws Exception { + private static void cleanUpClassHelperCache(@NonNull Class clazz) throws Exception { Field classCacheF = Class.forName("org.codehaus.groovy.ast.ClassHelper$ClassHelperCache").getDeclaredField("classCache"); classCacheF.setAccessible(true); Object classCache = classCacheF.get(null); @@ -289,7 +289,7 @@ private static void cleanUpClassHelperCache(@Nonnull Class clazz) throws Exce classCache.getClass().getMethod("remove", Object.class).invoke(classCache, clazz); } - private static void cleanUpObjectStreamClassCaches(@Nonnull Class clazz) throws Exception { + private static void cleanUpObjectStreamClassCaches(@NonNull Class clazz) throws Exception { Class cachesC = Class.forName("java.io.ObjectStreamClass$Caches"); for (String cacheFName : new String[] {"localDescs", "reflectors"}) { Field cacheF = cachesC.getDeclaredField(cacheFName); diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/AnnotatedWhitelist.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/AnnotatedWhitelist.java index 12a6a2f5b..282a0788d 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/AnnotatedWhitelist.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/AnnotatedWhitelist.java @@ -29,7 +29,7 @@ import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.Method; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.NonNull; import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist; import org.kohsuke.accmod.Restricted; import org.kohsuke.accmod.restrictions.NoExternalUse; @@ -52,7 +52,7 @@ private static final class Impl extends Whitelist { this.restricted = restricted; } - private boolean allowed(@Nonnull AccessibleObject o) { + private boolean allowed(@NonNull AccessibleObject o) { Whitelisted ann = o.getAnnotation(Whitelisted.class); if (ann == null) { return false; diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/EnumeratingWhitelist.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/EnumeratingWhitelist.java index b8baaeb75..6432a527b 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/EnumeratingWhitelist.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/EnumeratingWhitelist.java @@ -35,8 +35,8 @@ import org.apache.commons.lang.ClassUtils; import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; /** * A whitelist based on listing signatures and searching them. Lists of signatures should not change @@ -184,7 +184,7 @@ final void clearCache() { return permitsStaticFieldGet(field); } - public static @Nonnull String getName(@Nonnull Class c) { + public static @NonNull String getName(@NonNull Class c) { Class e = c.getComponentType(); if (e == null) { return c.getName(); @@ -193,7 +193,7 @@ final void clearCache() { } } - public static @Nonnull String getName(@CheckForNull Object o) { + public static @NonNull String getName(@CheckForNull Object o) { return o == null ? "null" : getName(o.getClass()); } @@ -251,37 +251,37 @@ static String[] argumentTypes(Class[] argumentTypes) { } /** Canonical name for a field access. */ - static String canonicalFieldString(@Nonnull Field field) { + static String canonicalFieldString(@NonNull Field field) { return getName(field.getDeclaringClass()) + ' ' + field.getName(); } /** Canonical name for a method call. */ - static String canonicalMethodString(@Nonnull Method method) { + static String canonicalMethodString(@NonNull Method method) { return joinWithSpaces(new StringBuilder(getName(method.getDeclaringClass())).append(' ').append(method.getName()), argumentTypes(method.getParameterTypes())).toString(); } /** Canonical name for a constructor call. */ - static String canonicalConstructorString(@Nonnull Constructor cons) { + static String canonicalConstructorString(@NonNull Constructor cons) { return joinWithSpaces(new StringBuilder(getName(cons.getDeclaringClass())), argumentTypes(cons.getParameterTypes())).toString(); } - static String canonicalMethodSig(@Nonnull Method method) { + static String canonicalMethodSig(@NonNull Method method) { return "method "+canonicalMethodString(method); } - static String canonicalStaticMethodSig(@Nonnull Method method) { + static String canonicalStaticMethodSig(@NonNull Method method) { return "staticMethod "+canonicalMethodString(method); } - static String canonicalConstructorSig(@Nonnull Constructor cons) { + static String canonicalConstructorSig(@NonNull Constructor cons) { return "new "+canonicalConstructorString(cons); } - static String canonicalFieldSig(@Nonnull Field field) { + static String canonicalFieldSig(@NonNull Field field) { return "field "+canonicalFieldString(field); } - static String canonicalStaticFieldSig(@Nonnull Field field) { + static String canonicalStaticFieldSig(@NonNull Field field) { return "staticField "+canonicalFieldString(field); } diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java index 970c9842b..06cf4ed2e 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java @@ -41,7 +41,7 @@ import java.util.HashSet; import java.util.List; import java.util.Set; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.NonNull; import edu.umd.cs.findbugs.annotations.CheckForNull; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; @@ -100,7 +100,7 @@ public StaticWhitelist(String... lines) throws IOException { * @param line Line to filter. * @return {@code null} if the like must be skipped or the content to process if not. */ - static @CheckForNull String filter(@Nonnull String line) { + static @CheckForNull String filter(@NonNull String line) { line = line.trim(); if (line.isEmpty() || line.startsWith("#")) { return null; @@ -111,7 +111,7 @@ public StaticWhitelist(String... lines) throws IOException { /** * Returns true if the given method is permanently blacklisted in {@link #PERMANENTLY_BLACKLISTED_METHODS} */ - public static boolean isPermanentlyBlacklistedMethod(@Nonnull Method m) { + public static boolean isPermanentlyBlacklistedMethod(@NonNull Method m) { String signature = canonicalMethodSig(m); for (String s : PERMANENTLY_BLACKLISTED_METHODS) { @@ -126,7 +126,7 @@ public static boolean isPermanentlyBlacklistedMethod(@Nonnull Method m) { /** * Returns true if the given method is permanently blacklisted in {@link #PERMANENTLY_BLACKLISTED_STATIC_METHODS} */ - public static boolean isPermanentlyBlacklistedStaticMethod(@Nonnull Method m) { + public static boolean isPermanentlyBlacklistedStaticMethod(@NonNull Method m) { String signature = canonicalStaticMethodSig(m); for (String s : PERMANENTLY_BLACKLISTED_STATIC_METHODS) { @@ -141,7 +141,7 @@ public static boolean isPermanentlyBlacklistedStaticMethod(@Nonnull Method m) { /** * Returns true if the given constructor is permanently blacklisted in {@link #PERMANENTLY_BLACKLISTED_CONSTRUCTORS} */ - public static boolean isPermanentlyBlacklistedConstructor(@Nonnull Constructor c) { + public static boolean isPermanentlyBlacklistedConstructor(@NonNull Constructor c) { String signature = canonicalConstructorSig(c); for (String s : PERMANENTLY_BLACKLISTED_CONSTRUCTORS) { @@ -260,31 +260,31 @@ public static StaticWhitelist from(URL definition) throws IOException { return staticFieldSignatures; } - public static RejectedAccessException rejectMethod(@Nonnull Method m) { + public static RejectedAccessException rejectMethod(@NonNull Method m) { assert (m.getModifiers() & Modifier.STATIC) == 0; return blacklist(new RejectedAccessException("method", EnumeratingWhitelist.getName(m.getDeclaringClass()) + " " + m.getName() + printArgumentTypes(m.getParameterTypes()))); } - public static RejectedAccessException rejectMethod(@Nonnull Method m, String info) { + public static RejectedAccessException rejectMethod(@NonNull Method m, String info) { assert (m.getModifiers() & Modifier.STATIC) == 0; return blacklist(new RejectedAccessException("method", EnumeratingWhitelist.getName(m.getDeclaringClass()) + " " + m.getName() + printArgumentTypes(m.getParameterTypes()), info)); } - public static RejectedAccessException rejectNew(@Nonnull Constructor c) { + public static RejectedAccessException rejectNew(@NonNull Constructor c) { return blacklist(new RejectedAccessException("new", EnumeratingWhitelist.getName(c.getDeclaringClass()) + printArgumentTypes(c.getParameterTypes()))); } - public static RejectedAccessException rejectStaticMethod(@Nonnull Method m) { + public static RejectedAccessException rejectStaticMethod(@NonNull Method m) { assert (m.getModifiers() & Modifier.STATIC) != 0; return blacklist(new RejectedAccessException("staticMethod", EnumeratingWhitelist.getName(m.getDeclaringClass()) + " " + m.getName() + printArgumentTypes(m.getParameterTypes()))); } - public static RejectedAccessException rejectField(@Nonnull Field f) { + public static RejectedAccessException rejectField(@NonNull Field f) { assert (f.getModifiers() & Modifier.STATIC) == 0; return blacklist(new RejectedAccessException("field", EnumeratingWhitelist.getName(f.getDeclaringClass()) + " " + f.getName())); } - public static RejectedAccessException rejectStaticField(@Nonnull Field f) { + public static RejectedAccessException rejectStaticField(@NonNull Field f) { assert (f.getModifiers() & Modifier.STATIC) != 0; return blacklist(new RejectedAccessException("staticField", EnumeratingWhitelist.getName(f.getDeclaringClass()) + " " + f.getName())); } diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ApprovalContext.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ApprovalContext.java index 33abb9411..dd8b5dd30 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ApprovalContext.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ApprovalContext.java @@ -27,7 +27,7 @@ import hudson.model.Item; import hudson.model.User; import hudson.security.ACL; -import javax.annotation.CheckForNull; +import edu.umd.cs.findbugs.annotations.CheckForNull; import jenkins.model.Jenkins; import org.kohsuke.stapler.DataBoundConstructor; diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java index 934aa8b2a..8df12b7a6 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java @@ -43,8 +43,8 @@ import java.net.URI; import java.net.URISyntaxException; import java.net.URL; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; /** * A classpath entry used for a script. @@ -52,10 +52,10 @@ public final class ClasspathEntry extends AbstractDescribableImpl implements Serializable { private static final long serialVersionUID = -2873408550951192200L; - private final @Nonnull URL url; + private final @NonNull URL url; @DataBoundConstructor - public ClasspathEntry(@Nonnull String path) throws MalformedURLException { + public ClasspathEntry(@NonNull String path) throws MalformedURLException { url = pathToURL(path); } @@ -76,7 +76,7 @@ static URL pathToURL(String path) throws MalformedURLException { } /** Returns {@code null} if another protocol or unable to perform the conversion. */ - private static File urlToFile(@Nonnull URL url) { + private static File urlToFile(@NonNull URL url) { if (url.getProtocol().equals("file")) { try { return new File(url.toURI()); @@ -99,7 +99,7 @@ static String urlToPath(URL url) { * In the case the URL uses a {@code file:} protocol a check is performed to see if it is a directory as an additional guard * in case a different class loader is used by other {@link Language} implementation. */ - static boolean isClassDirectoryURL(@Nonnull URL url) { + static boolean isClassDirectoryURL(@NonNull URL url) { final File file = urlToFile(url); if (file != null && file.isDirectory()) { return true; @@ -118,11 +118,11 @@ public boolean isClassDirectory() { return isClassDirectoryURL(url); } - public @Nonnull String getPath() { + public @NonNull String getPath() { return urlToPath(url); } - public @Nonnull URL getURL() { + public @NonNull URL getURL() { return url; } diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/Language.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/Language.java index 1f3884b98..1b4ba6350 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/Language.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/Language.java @@ -25,8 +25,8 @@ package org.jenkinsci.plugins.scriptsecurity.scripts; import hudson.ExtensionPoint; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; /** * A language for which we can request {@link ScriptApproval}. @@ -37,13 +37,13 @@ public abstract class Language implements ExtensionPoint { * Unique, permanent, internal identifier of this language. * @return a short unlocalized identifier, such as might be used for a filename extension */ - public abstract @Nonnull String getName(); + public abstract @NonNull String getName(); /** * Display name of the language for use in the UI. * @return a localized name */ - public abstract @Nonnull String getDisplayName(); + public abstract @NonNull String getDisplayName(); /** * A CodeMirror mode string, for purposes of displaying scripts in HTML. diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java index cfda3ff3e..fb2f3a933 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java @@ -66,8 +66,8 @@ import java.util.function.Consumer; import java.util.logging.Level; import java.util.logging.Logger; -import javax.annotation.CheckForNull; -import javax.annotation.Nonnull; +import edu.umd.cs.findbugs.annotations.CheckForNull; +import edu.umd.cs.findbugs.annotations.NonNull; import jenkins.model.Jenkins; import net.sf.json.JSON; import org.acegisecurity.context.SecurityContext; @@ -112,7 +112,7 @@ public GlobalConfigurationCategory getCategory() { } /** Gets the singleton instance. */ - public static @Nonnull ScriptApproval get() { + public static @NonNull ScriptApproval get() { ScriptApproval instance = ExtensionList.lookup(RootAction.class).get(ScriptApproval.class); if (instance == null) { throw new IllegalStateException("maybe need to rebuild plugin?"); @@ -186,13 +186,13 @@ public static abstract class PendingThing { /** @deprecated only used from historical records */ @Deprecated private String user; - private @Nonnull ApprovalContext context; + private @NonNull ApprovalContext context; - PendingThing(@Nonnull ApprovalContext context) { + PendingThing(@NonNull ApprovalContext context) { this.context = context; } - public @Nonnull ApprovalContext getContext() { + public @NonNull ApprovalContext getContext() { return context; } @@ -210,7 +210,7 @@ private Object readResolve() { public static final class PendingScript extends PendingThing { public final String script; private final String language; - PendingScript(@Nonnull String script, @Nonnull Language language, @Nonnull ApprovalContext context) { + PendingScript(@NonNull String script, @NonNull Language language, @NonNull ApprovalContext context) { super(context); this.script = script; this.language = language.getName(); @@ -246,7 +246,7 @@ public Language getLanguage() { public static final class PendingSignature extends PendingThing { public final String signature; public final boolean dangerous; - PendingSignature(@Nonnull String signature, boolean dangerous, @Nonnull ApprovalContext context) { + PendingSignature(@NonNull String signature, boolean dangerous, @NonNull ApprovalContext context) { super(context); this.signature = signature; this.dangerous = dangerous; @@ -287,7 +287,7 @@ public static final class PendingClasspathEntry extends PendingThing implements } } - PendingClasspathEntry(@Nonnull String hash, @Nonnull URL url, @Nonnull ApprovalContext context) { + PendingClasspathEntry(@NonNull String hash, @NonNull URL url, @NonNull ApprovalContext context) { super(context); /** * hash should be stored as files located at the classpath can be modified. @@ -296,11 +296,11 @@ public static final class PendingClasspathEntry extends PendingThing implements this.url = url; } - public @Nonnull String getHash() { + public @NonNull String getHash() { return hash; } - public @Nonnull URL getURL() { + public @NonNull URL getURL() { return url; } @Override public int hashCode() { @@ -313,7 +313,7 @@ public static final class PendingClasspathEntry extends PendingThing implements return hash.compareTo(o.hash); } - public static @Nonnull PendingClasspathEntry searchKeyFor(@Nonnull String hash) { + public static @NonNull PendingClasspathEntry searchKeyFor(@NonNull String hash) { final PendingClasspathEntry entry = new PendingClasspathEntry(hash, SEARCH_APPROVAL_URL, SEARCH_APPROVAL_CONTEXT); return entry; @@ -327,7 +327,7 @@ public static final class PendingClasspathEntry extends PendingThing implements private /*final*/ TreeSet pendingClasspathEntries; @CheckForNull - private PendingClasspathEntry getPendingClasspathEntry(@Nonnull String hash) { + private PendingClasspathEntry getPendingClasspathEntry(@NonNull String hash) { PendingClasspathEntry e = pendingClasspathEntries.floor(PendingClasspathEntry.searchKeyFor(hash)); if (e != null && e.hash.equals(hash)) { return e; @@ -433,7 +433,7 @@ static String hashClasspathEntry(URL entry) throws IOException { * @return {@code script}, for convenience * @throws IllegalStateException {@link Jenkins} instance is not ready */ - public synchronized String configuring(@Nonnull String script, @Nonnull Language language, @Nonnull ApprovalContext context) { + public synchronized String configuring(@NonNull String script, @NonNull Language language, @NonNull ApprovalContext context) { final String hash = hash(script, language.getName()); if (!approvedScriptHashes.contains(hash)) { if (!Jenkins.getInstance().isUseSecurity() || Jenkins.getAuthentication() != ACL.SYSTEM && Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) { @@ -462,7 +462,7 @@ public synchronized String configuring(@Nonnull String script, @Nonnull Language * @return {@code script}, for convenience * @throws UnapprovedUsageException in case it has not yet been approved */ - public synchronized String using(@Nonnull String script, @Nonnull Language language) throws UnapprovedUsageException { + public synchronized String using(@NonNull String script, @NonNull Language language) throws UnapprovedUsageException { if (script.length() == 0) { // As a special case, always consider the empty script preapproved, as this is usually the default for new fields, // and in many cases there is some sensible behavior for an emoty script which we want to permit. @@ -488,7 +488,7 @@ synchronized boolean isScriptHashApproved(String hash) { * @param context any additional information * @throws IllegalStateException {@link Jenkins} instance is not ready */ - public synchronized void configuring(@Nonnull ClasspathEntry entry, @Nonnull ApprovalContext context) { + public synchronized void configuring(@NonNull ClasspathEntry entry, @NonNull ApprovalContext context) { // In order to try to minimize changes for existing class directories that could be saved // - Class directories are ignored here (issuing a warning) // - When trying to use them, the job will fail @@ -537,7 +537,7 @@ public synchronized void configuring(@Nonnull ClasspathEntry entry, @Nonnull App * @return whether it will be approved * @throws IllegalStateException {@link Jenkins} instance is not ready */ - public synchronized FormValidation checking(@Nonnull ClasspathEntry entry) { + public synchronized FormValidation checking(@NonNull ClasspathEntry entry) { //TODO: better error propagation if (entry.isClassDirectory()) { return FormValidation.error(Messages.ClasspathEntry_path_noDirsAllowed()); @@ -563,7 +563,7 @@ public synchronized FormValidation checking(@Nonnull ClasspathEntry entry) { * @throws IOException when failed to the entry is inaccessible * @throws UnapprovedClasspathException when the entry is not approved */ - public synchronized void using(@Nonnull ClasspathEntry entry) throws IOException, UnapprovedClasspathException { + public synchronized void using(@NonNull ClasspathEntry entry) throws IOException, UnapprovedClasspathException { URL url = entry.getURL(); String hash = hashClasspathEntry(url); @@ -592,7 +592,7 @@ public synchronized void using(@Nonnull ClasspathEntry entry) throws IOException * @param language the language in which it is written * @return a warning in case the script is not yet approved and this user lacks {@link Jenkins#ADMINISTER}, else {@link FormValidation#ok()} */ - public synchronized FormValidation checking(@Nonnull String script, @Nonnull Language language) { + public synchronized FormValidation checking(@NonNull String script, @NonNull Language language) { if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER) && !approvedScriptHashes.contains(hash(script, language.getName()))) { return FormValidation.warningWithMarkup("A Jenkins administrator will need to approve this script before it can be used."); } else { @@ -608,7 +608,7 @@ public synchronized FormValidation checking(@Nonnull String script, @Nonnull Lan * @param language the language in which it is written * @return {@code script}, for convenience */ - public synchronized String preapprove(@Nonnull String script, @Nonnull Language language) { + public synchronized String preapprove(@NonNull String script, @NonNull Language language) { approvedScriptHashes.add(hash(script, language.getName())); return script; } @@ -634,7 +634,7 @@ public synchronized void preapproveAll() { * @deprecated Unnecessary if using {@link GroovySandbox#enter}. */ @Deprecated - public synchronized RejectedAccessException accessRejected(@Nonnull RejectedAccessException x, @Nonnull ApprovalContext context) { + public synchronized RejectedAccessException accessRejected(@NonNull RejectedAccessException x, @NonNull ApprovalContext context) { String signature = x.getSignature(); if (signature != null && pendingSignatures.add(new PendingSignature(signature, x.isDangerous(), context))) { save(); @@ -645,7 +645,7 @@ public synchronized RejectedAccessException accessRejected(@Nonnull RejectedAcce private static final ThreadLocal>> callbacks = ThreadLocal.withInitial(Stack::new); @Restricted(NoExternalUse.class) - public static void maybeRegister(@Nonnull RejectedAccessException x) { + public static void maybeRegister(@NonNull RejectedAccessException x) { for (Consumer callback : callbacks.get()) { callback.accept(x); }