Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42192

permissive-security-script plugin should not log full stacktrace

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Hi,

      the plugin runs perfectly BUT it has a tendency to spam jenkins' log files with useless stacktraces.
      These messages are on level 'INFO', for sure, but it's still a lot of noise for nothing.

      INFO: Unsecure signature found: staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint
              at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:190)
              at org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist.permitsStaticMethod(PermissiveWhitelist.java:63)
              at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist.permitsStaticMethod(ProxyWhitelist.java:140)
              at org.jenkinsci.plugins.workflow.cps.GroovyClassLoaderWhitelist.permitsStaticMethod(GroovyClassLoaderWhitelist.java:60)
              at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:139)
              at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:180)
              at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:177)
              at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:91)
              at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)
              at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
              at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
              at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixName(FunctionCallBlock.java:77)
              at sun.reflect.GeneratedMethodAccessor127.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
              at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
              at com.cloudbees.groovy.cps.Next.step(Next.java:58)
              at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
              at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
              at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
              at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
              at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
              at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
      

      Have the exception message would be enough :

      INFO: Unsecure signature found: staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint
      

      It sure is a minor issue ... yet when looking for real errors in log files it's painful to skip all these stacks.

      Why not adding the full log message when logging level set to DEBUG.

        Attachments

          Activity

          squalou squalou jenkins created issue -
          Hide
          olivergondza Oliver Gondža added a comment -

          I agree, the reason I want it to print full stacktrace is admins have an idea where it came from so they can do something about that. BTW, I would like to discourage you from using this plugin to circumvent pipeline security - that is not what is meant to do.

          Show
          olivergondza Oliver Gondža added a comment - I agree, the reason I want it to print full stacktrace is admins have an idea where it came from so they can do something about that. BTW, I would like to discourage you from using this plugin to circumvent pipeline security - that is not what is meant to do.
          Hide
          squalou squalou jenkins added a comment - - edited

          What was it meant to do then ?

          half joking, but seriously : you can call a 'sh' which will rm -rf anything, with no security issue, so I personally think that the 'approval' thing is just a useless pain. Great thing that this plugin is available.

          I use the plugin to have things work for a while, and once all the typical jobs have run (without blocking) : I store the approved lists and remove the plugin. When managing over 80 instances, you can imagine how this plugin is helpful !

          Show
          squalou squalou jenkins added a comment - - edited What was it meant to do then ? half joking, but seriously : you can call a 'sh' which will rm -rf anything, with no security issue, so I personally think that the 'approval' thing is just a useless pain. Great thing that this plugin is available. I use the plugin to have things work for a while, and once all the typical jobs have run (without blocking) : I store the approved lists and remove the plugin. When managing over 80 instances, you can imagine how this plugin is helpful !
          Hide
          bkmeneguello Bruno Meneguello added a comment -

          I do agree with squalou jenkins, the pipeline security os a nice feature at environments where various users are able to create jobs by them self, but is a nightmare where only admins create jobs. This is my case. In my company only me create and configure jobs. This plugins is the "opt out" feature missing for pipeline scripts security.

          Show
          bkmeneguello Bruno Meneguello added a comment - I do agree with squalou jenkins , the pipeline security os a nice feature at environments where various users are able to create jobs by them self, but is a nightmare where only admins create jobs. This is my case. In my company only me create and configure jobs. This plugins is the "opt out" feature missing for pipeline scripts security.
          Hide
          olivergondza Oliver Gondža added a comment -

          But if those scripts are introduced into Jenkins by administrator, they should be immediately approved and there is no reason to use this plugin (as it would not log anything). I therefore presume, users are permitted to introduce new groovy scripts.

          If we really want to implement script-security opt-out and advertise it as such, this needs to be discussed with security board.

          Show
          olivergondza Oliver Gondža added a comment - But if those scripts are introduced into Jenkins by administrator, they should be immediately approved and there is no reason to use this plugin (as it would not log anything). I therefore presume, users are permitted to introduce new groovy scripts. If we really want to implement script-security opt-out and advertise it as such, this needs to be discussed with security board.
          Hide
          bkmeneguello Bruno Meneguello added a comment -

          I have a lot of SCM based build scripts, projects and libraries. They are always sandboxed.
          I think the opt out may exists as a plugin, like this one. But it be non intrusive, and keep logs clean. I don't think the security plugin must be modified, but this one should be a first class citizen for this use cases.

          Show
          bkmeneguello Bruno Meneguello added a comment - I have a lot of SCM based build scripts, projects and libraries. They are always sandboxed. I think the opt out may exists as a plugin, like this one. But it be non intrusive, and keep logs clean. I don't think the security plugin must be modified, but this one should be a first class citizen for this use cases.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oliver Gondža
          Path:
          pom.xml
          src/main/java/org/jenkinsci/plugins/permissivescriptsecurity/PermissiveWhitelist.java
          src/test/java/org/jenkinsci/plugins/permissivescriptsecurity/PermissiveWhitelistTest.java
          http://jenkins-ci.org/commit/permissive-script-security-plugin/54123d6c81df5fd0e223826ea6625ae7ee54904d
          Log:
          [FIXED JENKINS-42192] Add support for silent mode.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oliver Gondža Path: pom.xml src/main/java/org/jenkinsci/plugins/permissivescriptsecurity/PermissiveWhitelist.java src/test/java/org/jenkinsci/plugins/permissivescriptsecurity/PermissiveWhitelistTest.java http://jenkins-ci.org/commit/permissive-script-security-plugin/54123d6c81df5fd0e223826ea6625ae7ee54904d Log: [FIXED JENKINS-42192] Add support for silent mode.
          scm_issue_link SCM/JIRA link daemon made changes -
          Field Original Value New Value
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          Hide
          benh57 Ben Hines added a comment -

          Any plans to release this? Plugin is still 0.1 on the plugin center.

          Show
          benh57 Ben Hines added a comment - Any plans to release this? Plugin is still 0.1 on the plugin center.
          Hide
          benh57 Ben Hines added a comment -

          Ah, the update does appear in Jenkins, just the wikipage itself still reads as 0.1.

          Show
          benh57 Ben Hines added a comment - Ah, the update does appear in Jenkins, just the wikipage itself still reads as 0.1.
          Hide
          akom Alexander Komarov added a comment -

          I'm still seeing this today with plugin version 0.3 and Jenkins 2.141 :
          Sep 11, 2018 8:51:24 AM INFO org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist$Mode$2 act
          Unsecure signature found: staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint

           

          No matter how many times I've approved this signature in scriptApproval, this still keeps appearing.

          Show
          akom Alexander Komarov added a comment - I'm still seeing this today with plugin version 0.3 and Jenkins 2.141 : Sep 11, 2018 8:51:24 AM INFO org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist$Mode$2 act Unsecure signature found: staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint   No matter how many times I've approved this signature in scriptApproval, this still keeps appearing.
          akom Alexander Komarov made changes -
          Status Resolved [ 5 ] In Review [ 10005 ]
          Hide
          olivergondza Oliver Gondža added a comment -

          Alexander Komarov, based on the stacktrace it appears your config is -Dpermissive-script-security.enabled=true and not -Dpermissive-script-security.enabled=no_security. Put differently, the plugin is still expected to be chatty about sandbox violations when configured with true, no_security is here to turn it off completely. Be sure to check the plugin page for implications: https://plugins.jenkins.io/permissive-script-security

          Show
          olivergondza Oliver Gondža added a comment - Alexander Komarov , based on the stacktrace it appears your config is -Dpermissive-script-security.enabled=true and not -Dpermissive-script-security.enabled=no_security . Put differently, the plugin is still expected to be chatty about sandbox violations when configured with true , no_security is here to turn it off completely. Be sure to check the plugin page for implications: https://plugins.jenkins.io/permissive-script-security
          olivergondza Oliver Gondža made changes -
          Status In Review [ 10005 ] Resolved [ 5 ]
          Hide
          akom Alexander Komarov added a comment -

          Oliver Gondža thank you for the clarification, I failed to read the docs carefully.

          Show
          akom Alexander Komarov added a comment - Oliver Gondža thank you for the clarification, I failed to read the docs carefully.
          Hide
          psk1987 Prachi Khadke added a comment -

          Oliver Gondža setting -Dpermissive-script-security.enabled=no_security means turning off security completely. Isn't there a way to keep the security turned on but still prevent the scriptApproval from appearing every time. I've approved other signatures for my pipeline scripts in the past without having to re-approve repeatedly. The fact that the scriptApproval keeps reappearing despite explicit approval seems like a bug.

          Show
          psk1987 Prachi Khadke added a comment - Oliver Gondža setting -Dpermissive-script-security.enabled=no_security means turning off security completely. Isn't there a way to keep the security turned on but still prevent the scriptApproval from appearing every time. I've approved other signatures for my pipeline scripts in the past without having to re-approve repeatedly. The fact that the scriptApproval keeps reappearing despite explicit approval seems like a bug.
          Hide
          olivergondza Oliver Gondža added a comment -

          Prachi Khadke, Can you be more specific? What this plugin does is turning the security off. If you want it on and there is something that does not work the way you like, I believe that is a FRE for script-security plugin itself.

          Show
          olivergondza Oliver Gondža added a comment - Prachi Khadke , Can you be more specific? What this plugin does is turning the security off. If you want it on and there is something that does not work the way you like, I believe that is a FRE for script-security plugin itself.
          Hide
          psk1987 Prachi Khadke added a comment - - edited

           

          I am having the same problem as Alexander Komarov.

          Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint.
          Administrators can decide whether to approve or reject this signature.
          

          I have approved the signature several times without any difference. My build still fails with the same error. Also tried setting

          -Dpermissive-script-security.enabled=no_security

          in the

           /etc/sysconfig/jenkins

          config file to no avail. 

           

          But my point is the fact that the build failing with the error above despite approving the signature is a bug. I shouldn't have to disable permissive script security for my builds to run. And I should be able to approve operations explicitly to run within the sandbox.

          Show
          psk1987 Prachi Khadke added a comment - - edited   I am having the same problem as Alexander Komarov. Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature. I have approved the signature several times without any difference. My build still fails with the same error. Also tried setting -Dpermissive-script-security.enabled=no_security in the /etc/sysconfig/jenkins config file to no avail.    But my point is the fact that the build failing with the error above despite approving the signature is a bug. I shouldn't have to disable permissive script security for my builds to run. And I should be able to approve operations explicitly to run within the sandbox.
          Hide
          sharkannon Stephen Herd added a comment - - edited

          I believe one of the most recent plugin changes to Jenkins has changed this behavior since this used to work just fine but in the last week or so.  Unfortunatly I'm not sure which plugin may be conflicting with the permissive script plugin.

           

          Verisons:

          Jenkins: 1.164.2 LTS
          Permissive Script Security Plugin: 0.3
          Script Security Plugin: 1.58

          We have about 30 other plugins as well, just thought these would be the most relavent.

          Show
          sharkannon Stephen Herd added a comment - - edited I believe one of the most recent plugin changes to Jenkins has changed this behavior since this used to work just fine but in the last week or so.  Unfortunatly I'm not sure which plugin may be conflicting with the permissive script plugin.   Verisons: Jenkins: 1.164.2 LTS Permissive Script Security Plugin: 0.3 Script Security Plugin: 1.58 We have about 30 other plugins as well, just thought these would be the most relavent.

            People

            Assignee:
            olivergondza Oliver Gondža
            Reporter:
            squalou squalou jenkins
            Votes:
            1 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: