Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27952

Scriptsecurity: match regex not permitted with conditional build step plugin

XMLWordPrintable

      Hi,

      We have the following configuration in a job:

        <builders>
    <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
      <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
      <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
        <expression>[24][x0-9][0-9]{2}</expression>
        <label>${TYPE}</label>
      </runCondition>
  ...

      When the Script Security Plugin is installed, we get the following error:

      SEVERE: Failed Loading job MyJob
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
        at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
        at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
        at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
        at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
        at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
        at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
        at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
        at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
        at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
        at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
        at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
        at Script1.run(Script1.groovy:1)
        at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
        at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
        at hudson.matrix.FilterScript.apply(FilterScript.java:85)
        at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
        at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
        at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
        at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
        at hudson.model.Items.load(Items.java:279)
        at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
        at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
        at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
        at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
        at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
        at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)

      Note: The current workaround is to "Approve" the script via http://<jenkins-url>/scriptApproval/

          [JENKINS-27952] Scriptsecurity: match regex not permitted with conditional build step plugin

          Tom Ghyselinck created issue -
          Tom Ghyselinck made changes -
          Description Original: Hi,

          We have the following configuration in a job:

          {code}
            <builders>
              <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
                <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
                <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
                  <expression>[24][x0-9][0-9]{2}</expression>
                  <label>${TYPE}</label>
                </runCondition>
            ...
          {code}

          When the [https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin Script Security Plugin] is installed, we get the following error:

          {code}
          SEVERE: Failed Loading job MyJob
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
                  at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
                  at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
                  at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
                  at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
                  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
                  at Script1.run(Script1.groovy:1)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
                  at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
                  at hudson.matrix.FilterScript.apply(FilterScript.java:85)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
                  at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
                  at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
                  at hudson.model.Items.load(Items.java:279)
                  at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
                  at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
                  at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
                  at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
                  at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
                  at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:745)
          {code}
          		 New: Hi,

          We have the following configuration in a job:

          {code}
            <builders>
              <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
                <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
                <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
                  <expression>[24][x0-9][0-9]{2}</expression>
                  <label>${TYPE}</label>
                </runCondition>
            ...
          {code}

          When the [https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin Script Security Plugin] is installed, we get the following error:

          {code}
          SEVERE: Failed Loading job MyJob
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
                  at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
                  at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
                  at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
                  at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
                  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
                  at Script1.run(Script1.groovy:1)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
                  at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
                  at hudson.matrix.FilterScript.apply(FilterScript.java:85)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
                  at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
                  at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
                  at hudson.model.Items.load(Items.java:279)
                  at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
                  at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
                  at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
                  at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
                  at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
                  at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:745)
          {code}

          *Note*: The current _workaround_ is to "_Approve_" the script via [http://&lt;jenkins-url&gt;/scriptApproval/]
          Tom Ghyselinck made changes -
          Environment New: Jenkins 1.596.2
          Tom Ghyselinck made changes -
          Description Original: Hi,

          We have the following configuration in a job:

          {code}
            <builders>
              <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
                <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
                <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
                  <expression>[24][x0-9][0-9]{2}</expression>
                  <label>${TYPE}</label>
                </runCondition>
            ...
          {code}

          When the [https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin Script Security Plugin] is installed, we get the following error:

          {code}
          SEVERE: Failed Loading job MyJob
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
                  at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
                  at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
                  at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
                  at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
                  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
                  at Script1.run(Script1.groovy:1)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
                  at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
                  at hudson.matrix.FilterScript.apply(FilterScript.java:85)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
                  at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
                  at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
                  at hudson.model.Items.load(Items.java:279)
                  at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
                  at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
                  at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
                  at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
                  at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
                  at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:745)
          {code}

          *Note*: The current _workaround_ is to "_Approve_" the script via [http://&lt;jenkins-url&gt;/scriptApproval/]           		New: Hi,

          We have the following configuration in a job:

          {code}
            <builders>
              <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
                <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
                <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
                  <expression>[24][x0-9][0-9]{2}</expression>
                  <label>${TYPE}</label>
                </runCondition>
            ...
          {code}

          When the [Script Security Plugin|https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin] is installed, we get the following error:

          {code}
          SEVERE: Failed Loading job MyJob
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
                  at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
                  at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
                  at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
                  at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
                  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
                  at Script1.run(Script1.groovy:1)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
                  at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
                  at hudson.matrix.FilterScript.apply(FilterScript.java:85)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
                  at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
                  at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
                  at hudson.model.Items.load(Items.java:279)
                  at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
                  at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
                  at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
                  at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
                  at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
                  at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:745)
          {code}

          *Note*: The current _workaround_ is to "_Approve_" the script via [http://&lt;jenkins-url&gt;/scriptApproval/]
          Environment Original: Jenkins 1.596.2 New: Jenkins 1.596.2 LTS
          Dominik Bartholdi made changes -
          Resolution New: Not A Defect [ 7 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 162551 ] New: JNJira + In-Review [ 196981 ]

            domi Dominik Bartholdi
            tom_ghyselinck Tom Ghyselinck
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: