Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27952

Scriptsecurity: match regex not permitted with conditional build step plugin

XMLWordPrintable

      Hi,

      We have the following configuration in a job:

        <builders>
    <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
      <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
      <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
        <expression>[24][x0-9][0-9]{2}</expression>
        <label>${TYPE}</label>
      </runCondition>
  ...

      When the Script Security Plugin is installed, we get the following error:

      SEVERE: Failed Loading job MyJob
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
        at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
        at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
        at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
        at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
        at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
        at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
        at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
        at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
        at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
        at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
        at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
        at Script1.run(Script1.groovy:1)
        at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
        at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
        at hudson.matrix.FilterScript.apply(FilterScript.java:85)
        at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
        at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
        at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
        at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
        at hudson.model.Items.load(Items.java:279)
        at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
        at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
        at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
        at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
        at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
        at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)

      Note: The current workaround is to "Approve" the script via http://<jenkins-url>/scriptApproval/

          [JENKINS-27952] Scriptsecurity: match regex not permitted with conditional build step plugin

          Dominik Bartholdi added a comment -

          this is the expected behaviour, when the script security plugin is installed, all groovy code executed should get checked before execution.

          as for now, it seems that the causing method in your case seems tobe added to the default whitelist now: https://github.com/abayer/script-security-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist

          Dominik Bartholdi added a comment - this is the expected behaviour, when the script security plugin is installed, all groovy code executed should get checked before execution. as for now, it seems that the causing method in your case seems tobe added to the default whitelist now: https://github.com/abayer/script-security-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist

            domi Dominik Bartholdi
            tom_ghyselinck Tom Ghyselinck
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: