Use GroovySourceFileAllowlist to adapt to SECURITY-359 changes

Author: dwnusbaum

pom.xml

@@ -31,9 +31,10 @@
     <properties>
         <revision>1.29</revision>
         <changelist>-SNAPSHOT</changelist>
-        <jenkins.version>2.222.4</jenkins.version>
+        <jenkins.version>2.332.1</jenkins.version>
         <java.level>8</java.level>
-        <pipeline-model-definition-plugin.version>1.8.1</pipeline-model-definition-plugin.version>
+        <pipeline-model-definition-plugin.version>2.2082.v70b_19a_c38c26</pipeline-model-definition-plugin.version> <!-- TODO: https://github.com/jenkinsci/pipeline-model-definition-plugin/pull/529 -->
+        <workflow-cps-plugin.version>2699.v7231c3b_4a_231</workflow-cps-plugin.version> <!-- TODO: https://github.com/jenkinsci/workflow-cps-plugin/pull/538 -->
     </properties>
     <repositories>
         <repository>
@@ -51,12 +52,17 @@
         <dependencies>
             <dependency>
                 <groupId>io.jenkins.tools.bom</groupId>
-                <artifactId>bom-2.222.x</artifactId>
-                <version>887.vae9c8ac09ff7</version>
+                <artifactId>bom-2.332.x</artifactId>
+                <version>1382.v7d694476f340</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
-
+            <dependency>
+                <!-- TODO: Remove once this version is included in BOM -->
+                <groupId>org.jenkins-ci.plugins</groupId>
+                <artifactId>script-security</artifactId>
+                <version>1172.v35f6a_0b_8207e</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <dependencies>
@@ -68,6 +74,7 @@
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
             <artifactId>workflow-cps</artifactId>
+            <version>${workflow-cps-plugin.version}</version>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
@@ -100,6 +107,7 @@
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
             <artifactId>workflow-cps</artifactId>
+            <version>${workflow-cps-plugin.version}</version>
             <classifier>tests</classifier>
             <scope>test</scope>
         </dependency>

src/main/java/org/jenkinsci/plugins/docker/workflow/declarative/AbstractDockerAgent.java

@@ -28,8 +28,10 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
+import hudson.Extension;
 import org.jenkinsci.plugins.pipeline.modeldefinition.agent.DeclarativeAgent;
 import org.jenkinsci.plugins.pipeline.modeldefinition.options.DeclarativeOption;
+import org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist;
 import org.kohsuke.stapler.DataBoundSetter;
 
 public abstract class AbstractDockerAgent<D extends AbstractDockerAgent<D>> extends DeclarativeAgent<D> {
@@ -123,4 +125,18 @@ public boolean reuseRootAgent(Map<String, DeclarativeOption> options) {
         return options.get(ContainerPerStage.SYMBOL) != null;
     }
 
+    /**
+     * AbstractDockerPipelineScript.groovy is a superclass of the Groovy scripts for subclasses of
+     * {@link AbstractDockerAgent}, but does not have any direct equivalent Java class, so we just allow it here.
+     */
+    @Extension
+    public static class ChangelogConditionalScriptAllowlist extends GroovySourceFileAllowlist {
+        private final String scriptUrl = AbstractDockerAgent.class.getResource("/org/jenkinsci/plugins/docker/workflow/declarative/AbstractDockerPipelineScript.groovy").toString();
+
+        @Override
+        public boolean isAllowed(String groovyResourceUrl) {
+            return groovyResourceUrl.equals(scriptUrl);
+        }
+    }
+
 }