# SECURITY-538
# staticMethod groovy.json.JsonOutput toJson groovy.lang.Closure
# staticMethod groovy.json.JsonOutput toJson java.lang.Object

# Reflective access to Groovy is too open-ended. Approve only specific GroovyObject subclass methods.
method groovy.lang.GroovyObject getMetaClass
method groovy.lang.GroovyObject getProperty java.lang.String
method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
method groovy.lang.GroovyObject setMetaClass groovy.lang.MetaClass
method groovy.lang.GroovyObject setProperty java.lang.String java.lang.Object

# Raw file operations could be used to compromise the server.
staticMethod java.io.File createTempFile java.lang.String java.lang.String
staticMethod java.io.File createTempFile java.lang.String java.lang.String java.io.File
new java.io.File java.lang.String
new java.io.File java.lang.String java.lang.String
new java.io.File java.net.URI
staticMethod java.io.File listRoots
new java.io.FileInputStream java.lang.String
new java.io.FileOutputStream java.lang.String
new java.io.FileOutputStream java.lang.String boolean
new java.io.FileReader java.lang.String
new java.io.FileWriter java.lang.String
new java.io.FileWriter java.lang.String boolean
new java.io.PrintStream java.lang.String
new java.io.PrintStream java.lang.String java.lang.String
new java.io.PrintWriter java.lang.String
new java.io.PrintWriter java.lang.String java.lang.String
new java.io.RandomAccessFile java.lang.String java.lang.String

# No reflection!
method java.lang.Class getConstructor java.lang.Class[]
method java.lang.Class getConstructors
method java.lang.Class getDeclaredConstructor java.lang.Class[]
method java.lang.Class getDeclaredConstructors
method java.lang.Class getDeclaredField java.lang.String
method java.lang.Class getDeclaredFields
method java.lang.Class getDeclaredMethod java.lang.String java.lang.Class[]
method java.lang.Class getDeclaredMethods
method java.lang.Class getField java.lang.String
method java.lang.Class getFields
method java.lang.Class getMethod java.lang.String java.lang.Class[]
method java.lang.Class getMethods
method java.lang.Class getResource java.lang.String
method java.lang.Class getResourceAsStream java.lang.String
method java.lang.Class newInstance

# Same for local process execution.
staticMethod java.lang.Runtime getRuntime
new java.lang.ProcessBuilder java.util.List
new java.lang.ProcessBuilder java.lang.String[]
new freemarker.template.utility.Execute
staticMethod jdk.jshell.JShell create
staticMethod jdk.jshell.JShell builder
staticMethod groovy.util.Eval me java.lang.String
staticMethod groovy.util.Eval me java.lang.String java.lang.Object java.lang.String
staticMethod groovy.util.Eval x java.lang.Object java.lang.String
staticMethod groovy.util.Eval xy java.lang.Object java.lang.Object java.lang.String
staticMethod groovy.util.Eval xyz java.lang.Object java.lang.Object java.lang.Object java.lang.String
method org.apache.commons.exec.Executor execute org.apache.commons.exec.CommandLine
method org.apache.commons.exec.Executor execute org.apache.commons.exec.CommandLine java.util.Map
method org.apache.commons.exec.Executor execute org.apache.commons.exec.CommandLine java.util.Map org.apache.commons.exec.ExecuteResultHandler
method org.apache.commons.exec.Executor execute org.apache.commons.exec.CommandLine org.apache.commons.exec.ExecuteResultHandler

# Leak information.
staticMethod java.lang.System getProperties
staticMethod java.lang.System getProperty java.lang.String
staticMethod java.lang.System getProperty java.lang.String java.lang.String
staticMethod java.lang.System getenv

# SECURITY-683 speculative approach to Spectre/Meltdown
staticMethod java.lang.System nanoTime

# Maybe could bypass other protections.
staticMethod java.lang.System setProperty java.lang.String java.lang.String

# Could be used to read local files.
method java.net.URL getContent
method java.net.URL getContent java.lang.Class[]
method java.net.URL openConnection
method java.net.URL openStream

# Groovy java.net.URL extensions could be used to read local files.
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods eachByte java.net.URL groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods eachByte java.net.URL int groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods eachLine java.net.URL groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods eachLine java.net.URL int groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods eachLine java.net.URL java.lang.String groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods eachLine java.net.URL java.lang.String int groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods filterLine java.net.URL groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods filterLine java.net.URL java.io.Writer groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods filterLine java.net.URL java.io.Writer java.lang.String groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods filterLine java.net.URL java.lang.String groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods getBytes java.net.URL
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods getBytes java.net.URL java.util.Map
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods getText java.net.URL
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods getText java.net.URL java.lang.String
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods getText java.net.URL java.util.Map
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods getText java.net.URL java.util.Map java.lang.String
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods newInputStream java.net.URL
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods newInputStream java.net.URL java.util.Map
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods newReader java.net.URL
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods newReader java.net.URL java.lang.String
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods newReader java.net.URL java.util.Map
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods newReader java.net.URL java.util.Map java.lang.String
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods readLines java.net.URL
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods readLines java.net.URL java.lang.String
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods splitEachLine java.net.URL java.lang.String groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods splitEachLine java.net.URL java.lang.String java.lang.String groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods splitEachLine java.net.URL java.util.regex.Pattern groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods splitEachLine java.net.URL java.util.regex.Pattern java.lang.String groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods withInputStream java.net.URL groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods withReader java.net.URL groovy.lang.Closure
staticMethod org.codehaus.groovy.runtime.ResourceGroovyMethods withReader java.net.URL java.lang.String groovy.lang.Closure

# NIO file operations must start with a Path:
staticMethod java.nio.file.Paths get java.lang.String java.lang.String[]
staticMethod java.nio.file.Paths get java.net.URI

# More process execution, Groovy-style:
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String java.util.List java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[]
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[] java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[] java.util.List java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List java.util.List java.io.File

staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.lang.String
staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.lang.String java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.lang.String java.util.List java.io.File
staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.lang.String[]
staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.lang.String[] java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.lang.String[] java.util.List java.io.File
staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.util.List
staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.util.List java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.ProcessGroovyMethods execute java.util.List java.util.List java.io.File

# SECURITY-538
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.lang.Object java.lang.String
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getMetaPropertyValues java.lang.Object
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getProperties java.lang.Object
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods putAt java.lang.Object java.lang.String java.lang.Object

# SECURITY-1353
staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter asType java.lang.Object java.lang.Class
staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter castToType java.lang.Object java.lang.Class

# SECURITY-1754
new org.kohsuke.groovy.sandbox.impl.Checker$SuperConstructorWrapper java.lang.Object[]
new org.kohsuke.groovy.sandbox.impl.Checker$ThisConstructorWrapper java.lang.Object[]

# Spring methods
method org.springframework.core.env.ConfigurableEnvironment getSystemEnvironment
