def text = '''
<list>
<technology>
<name>Groovy</name>
</technology>
</list>
'''
def list = new XmlSlurper().parseText(text)
println list.technology.name.text()
Using a GPath expression like this list.technology.name.text() works fine but requires an admin to allow “method groovy.lang.GroovyObject getProperty java.lang.String” which the script security plugin recommends against (“Approving this signature may introduce a security vulnerability! You are advised to deny it.”). Since I am not the owner of the Jenkins instance, I am not sure I can convince them this is OK to approve.
Is there a way to write the code such that it does not depend on GroovyObject.getProperty being permitted? Or is there someway to configure Jenkins so that this can work? Or how to proceed ahead?
If you want to avoid using getProperty and still be able to parse XML content in Jenkins, you could use a different approach that doesn’t require dynamic property access.
Here’s an example:
def list = new XmlSlurper().parseText(text)
def technology = list.'technology'
def name = technology.'name'.text()
println name
This code uses the . syntax to access XML elements and attributes, instead of using dynamic property access. This syntax is safer and doesn’t require the getProperty permission.
Instead of using the dot notation to access the child elements of the XML, you could use square brackets and pass the name of the child element as a string. For example:
def list = new XmlSlurper().parseText(text)
println list['technology']['name'].text()
If you’re still unable to run this code due to security restrictions, you could try using the XmlParser instead of XmlSlurper. The XmlParser is less convenient to use than XmlSlurper, but it’s more secure because it doesn’t allow dynamic property access.
Here’s an example:
def parser = new XmlParser()
def list = parser.parseText(text)
println list.technology.name.text()