From f4fe5710a56944096054e54d377cbcae97e599df Mon Sep 17 00:00:00 2001
From: Basil Crow <me@basilcrow.com>
Date: Thu, 23 Nov 2023 05:04:38 -0800
Subject: [PATCH] Refuse to load the Jenkins test harness in production (#8714)

---
 core/src/main/java/hudson/ClassicPluginStrategy.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/src/main/java/hudson/ClassicPluginStrategy.java b/core/src/main/java/hudson/ClassicPluginStrategy.java
index c16fc93e1aa9..1047ec5a3dbc 100644
--- a/core/src/main/java/hudson/ClassicPluginStrategy.java
+++ b/core/src/main/java/hudson/ClassicPluginStrategy.java
@@ -290,6 +290,10 @@ protected ClassLoader createClassLoader(List<File> paths, ClassLoader parent, At
 
         List<URL> urls = new ArrayList<>();
         for (File path : paths) {
+            if (path.getName().startsWith("jenkins-test-harness")) {
+                throw new IllegalStateException("Refusing to load the Jenkins test harness in production (via "
+                        + atts.getValue("Short-Name") + ")");
+            }
             urls.add(path.toURI().toURL());
         }
         URLClassLoader2 classLoader;