-
Bug
-
Resolution: Unresolved
-
Major
-
Jenkins 1.625.3
workflow-plugin 1.13
-
Powered by SuggestiMate
JenkinsFile SandBox error raised if the pipeline definition uses Enumerations:
Caused by: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified staticMethod package.EnumX $INIT java.lang.String java.lang.Integer
- depends on
-
JENKINS-34739 Varargs not supported
-
- Resolved
-
- is duplicated by
-
JENKINS-35294 Varags arguments to enum constructors don't work
-
- Resolved
-
- is related to
-
JENKINS-25119 Sandbox cannot handle methods Groovy provides additionally
-
- Resolved
-
[JENKINS-33023] Enums are not supported in sandbox
Code changed in jenkins
User: Jesse Glick
Path:
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/5b4623a06fe580a7beca083948fc9d99adac1b76
Log:
Merge pull request #58 from magnusr/feature/enums
[FIXED JENKINS-33023] Support enum initializers
Compare: https://github.com/jenkinsci/script-security-plugin/compare/65d1e7d0e721...5b4623a06fe5
You say it passed in Jenkins 1.x but fails in 2.x? Perhaps a matter of Groovy 1.x vs. 2.x (the bundled version was updated).
Code changed in jenkins
User: Jesse Glick
Path:
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/EnumeratingWhitelist.java
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/c5443401bbe7984bacc731f331fa4b35c5f481dd
Log:
JENKINS-33023 Making sure we can really use enums without extra whitelisting.
Code changed in jenkins
User: Jesse Glick
Path:
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/EnumeratingWhitelist.java
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/00d5aaf7a1a6d8a719183ff946f2c986d85178d3
Log:
Merge pull request #61 from jglick/enums-cleanup
JENKINS-33023 Making sure we can really use enums without extra whitelisting
Compare: https://github.com/jenkinsci/script-security-plugin/compare/cbcf93730504...00d5aaf7a1a6
Code changed in jenkins
User: Jesse Glick
Path:
src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/57d6eb30126ea3dbebc71e67cc5719e799fb6d83
Log:
JENKINS-33023 Expanding test case to show that binary enums are OK too.
I tried to use the simplest form of an enumeration in Java:
enum Thing {
FIRST,
SECOND;
}
Thing thing = Thing.FIRST;
This gives me a sandbox error:
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.LinkedHashMap at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:184) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:148) at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:197) at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:202) at org.kohsuke.groovy.sandbox.impl.Checker$checkedConstructor$0.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:214) at Thing.<init>(WorkflowScript) at Thing.$INIT(WorkflowScript) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:46) at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:102) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:188) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onStaticCall(GroovyInterceptor.java:35) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:158) at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:186) at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:190) at org.kohsuke.groovy.sandbox.impl.Checker$checkedStaticCall.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:222) at Thing.<clinit>(WorkflowScript) at sun.misc.Unsafe.ensureClassInitialized(Native Method) at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFieldAccessorFactory.java:43) at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:156) at java.lang.reflect.Field.acquireFieldAccessor(Field.java:1088) at java.lang.reflect.Field.getFieldAccessor(Field.java:1069) at java.lang.reflect.Field.get(Field.java:393) at org.codehaus.groovy.reflection.CachedField.getProperty(CachedField.java:54) at groovy.lang.MetaClassImpl.getProperty(MetaClassImpl.java:1803) at groovy.lang.MetaClassImpl.getProperty(MetaClassImpl.java:3758) at org.codehaus.groovy.runtime.InvokerHelper.getProperty(InvokerHelper.java:177) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.getProperty(ScriptBytecodeAdapter.java:456) at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:286) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onGetProperty(GroovyInterceptor.java:68) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:368) at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284) at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29) at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20) Caused: java.lang.ExceptionInInitializerError at sun.misc.Unsafe.ensureClassInitialized(Native Method) at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFieldAccessorFactory.java:43) at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:156) at java.lang.reflect.Field.acquireFieldAccessor(Field.java:1088) at java.lang.reflect.Field.getFieldAccessor(Field.java:1069) at java.lang.reflect.Field.get(Field.java:393) at org.codehaus.groovy.reflection.CachedField.getProperty(CachedField.java:54) at groovy.lang.MetaClassImpl.getProperty(MetaClassImpl.java:1803) at groovy.lang.MetaClassImpl.getProperty(MetaClassImpl.java:3758) at org.codehaus.groovy.runtime.InvokerHelper.getProperty(InvokerHelper.java:177) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.getProperty(ScriptBytecodeAdapter.java:456) at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:286) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onGetProperty(GroovyInterceptor.java:68) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:368) at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284) at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29) at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20) at WorkflowScript.run(WorkflowScript:6) at ___cps.transform___(Native Method) at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74) at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30) at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:66) at sun.reflect.GeneratedMethodAccessor371.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72) at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21) at com.cloudbees.groovy.cps.Next.step(Next.java:83) at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174) at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163) at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122) at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261) at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32) at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:331) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:82) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:243) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:231) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Adding a public constructor solves the sandbox problem:
enum Thing { FIRST, SECOND; public Thing() {} } Thing thing = Thing.FIRST;
Is this desired behaviour?
Similar behavior in Jenkins 2.235.x, similar error "Scripts not permitted to use new java.util.LinkedHashMap" showing that jenkins is trying to use the LinkedHashMap in the background for plain-old enums. So same question, is this the desired behavior ?
Similar behavior
Not helpful. The exact syntax matters. Each case is basically a distinct bug.
Same thing happens with Strings:
I think this happens on call to this function: