Skip to content

Fix preapprove() leaving scripts in pendingScripts after approval #908

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LeCrew163 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix preapprove() leaving scripts in pendingScripts after approval #908

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
01b7c35
Fix preapprove() leaving scripts in pendingScripts after approval
Jan 27, 2026
5960419
Add test for preapprove() bug fix
Jan 27, 2026
1f24fc0
Remove accidentally committed .tool-versions file
Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -879,7 +879,9 @@ synchronized boolean isClasspathEntryApproved(URL url) {
* @return {@code script}, for convenience
*/
public synchronized String preapprove(@NonNull String script, @NonNull Language language) {
approvedScriptHashes.add(DEFAULT_HASHER.hash(script, language.getName()));
String hash = DEFAULT_HASHER.hash(script, language.getName());
approvedScriptHashes.add(hash);
removePendingScript(hash);
return script;
}

Expand Down
25 changes: 25 additions & 0 deletions src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,31 @@ public class ScriptApprovalTest extends AbstractApprovalTest<ScriptApprovalTest.
script("").use();
}

@Test public void preapproveRemovesPendingScript() throws Exception {
configureSecurity();
ScriptApproval sa = ScriptApproval.get();
String testScript = "println 'test script'";

// First create a pending script by configuring it without admin approval
sa.configuring(testScript, GroovyLanguage.get(), ApprovalContext.create(), false);

// Verify the script is in pending list
assertEquals(1, sa.getPendingScripts().size());
ScriptApproval.PendingScript pending = sa.getPendingScripts().iterator().next();
assertEquals(testScript, pending.script);
String hash = pending.getHash();

// Now preapprove the script
sa.preapprove(testScript, GroovyLanguage.get());

// Verify the script hash is approved
assertTrue(sa.isScriptHashApproved(hash));

// Verify the script is removed from pending list (this was the bug)
assertEquals("Pending scripts should be empty after preapprove",
0, sa.getPendingScripts().size());
}

@Issue("JENKINS-46764")
@Test
@LocalData("malformedScriptApproval")
Expand Down