Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37378

Sandbox approval exceptions get hidden by try/catch pattern


    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • pipeline
    • None

      Take the given example Pipeline:

      try {    
          node {
              List envVars = []
              List newVars = ['one', 'two']
              echo "hello world"
      catch (exc) {
          echo "I'm going to mail a build failure out about: ${exc}"
          currentBuild.result = 'FAILURE'

      Which prints:

      Started by user admin
      [Pipeline] node
      Running on Azure0812014523 in /home/azureuser/workspace/Experiments/script-approval
      [Pipeline] {
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] echo
      I'm going to mail a build failure out about: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.util.Collection addAll java.util.Collection
      [Pipeline] End of Pipeline
      Finished: FAILURE

      Unfortunately it seems that catching exceptions, which is as far as I know the standard pattern for reporting on build failures/errors, can also prevent Script Approval from working properly.

      One work-around would be to always add the following to catch blocks:

          if (exc.class == org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException) {
              throw exc

      This works but needing to always include this in order to ensure that my In-process Script Approval seems very hackish. IMO Pipeline shouldn't be relying on exceptions bubbling out of the Pipeline for In-process script approvals.

            jglick Jesse Glick
            rtyler R. Tyler Croy
            0 Vote for this issue
            2 Start watching this issue