From 01b7c3506a84078d81c2f142322ca441d8e20da8 Mon Sep 17 00:00:00 2001 From: Nikolai Martyn Date: Tue, 27 Jan 2026 20:40:09 +0100 Subject: [PATCH 1/3] Fix preapprove() leaving scripts in pendingScripts after approval The preapprove() method adds script hashes to approvedScriptHashes but does not remove matching entries from pendingScripts. This causes scripts to appear with apply/deny buttons in the Jenkins UI even though their hashes are already present in scriptApproval.xml's approvedScriptHashes. The scripts are technically approved (hash exists in approvedScriptHashes) but the UI incorrectly shows them as pending because they remain in the pendingScripts list. This fix makes preapprove() consistent with preapproveAll() by calling removePendingScript() to remove the pending entry after adding to approvedScriptHashes. --- .../plugins/scriptsecurity/scripts/ScriptApproval.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java index e80efedf..74690ce4 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java @@ -879,7 +879,9 @@ synchronized boolean isClasspathEntryApproved(URL url) { * @return {@code script}, for convenience */ public synchronized String preapprove(@NonNull String script, @NonNull Language language) { - approvedScriptHashes.add(DEFAULT_HASHER.hash(script, language.getName())); + String hash = DEFAULT_HASHER.hash(script, language.getName()); + approvedScriptHashes.add(hash); + removePendingScript(hash); return script; } From 59604193a7c96eacdff3daf9fbe24272092f2a5d Mon Sep 17 00:00:00 2001 From: Nikolai Martyn Date: Tue, 27 Jan 2026 21:33:59 +0100 Subject: [PATCH 2/3] Add test for preapprove() bug fix Add test case that verifies preapprove() removes scripts from pendingScripts after adding them to approvedScriptHashes. The test: 1. Creates a pending script via configuring() 2. Calls preapprove() on it 3. Verifies the hash is in approvedScriptHashes 4. Verifies the script is removed from pendingScripts --- .tool-versions | 1 + .../scripts/ScriptApprovalTest.java | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 .tool-versions diff --git a/.tool-versions b/.tool-versions new file mode 100644 index 00000000..b9d9fe43 --- /dev/null +++ b/.tool-versions @@ -0,0 +1 @@ +maven 3.9.9 diff --git a/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java b/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java index e25bd110..f03180a7 100644 --- a/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java +++ b/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java @@ -86,6 +86,31 @@ public class ScriptApprovalTest extends AbstractApprovalTest Date: Tue, 27 Jan 2026 21:58:08 +0100 Subject: [PATCH 3/3] Remove accidentally committed .tool-versions file --- .tool-versions | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .tool-versions diff --git a/.tool-versions b/.tool-versions deleted file mode 100644 index b9d9fe43..00000000 --- a/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -maven 3.9.9