# Reflective access to Groovy is too open-ended. Approve only specific GroovyObject subclass methods.
method groovy.lang.GroovyObject getMetaClass
method groovy.lang.GroovyObject getProperty java.lang.String
method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
method groovy.lang.GroovyObject setMetaClass groovy.lang.MetaClass
method groovy.lang.GroovyObject setProperty java.lang.String java.lang.Object

# Raw file operations could be used to compromise the Jenkins master.
new java.io.File java.lang.String
new java.io.File java.lang.String java.lang.String
new java.io.File java.net.URI
new java.io.FileInputStream java.lang.String

# Same for local process execution.
staticMethod java.lang.Runtime getRuntime
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String java.util.List java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[]
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[] java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[] java.util.List java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List java.lang.String[] java.io.File
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List java.util.List java.io.File

# TODO do we need a @Blacklisted annotation?
method org.jenkinsci.plugins.workflow.support.steps.build.RunWrapper getRawBuild
