• Type: Bug
• Resolution: Not A Defect
• Priority: Minor
• Component/s: pipeline-model-definition-plugin, script-security-plugin, workflow-cps-global-lib-plugin
• Labels:

  None
• Environment:

  Jenkins 2.32.3 LTS, with
  - script-security 1.27
  - workflow-cps-global-lib 2.7
  - pipeline-model-definition 1.1.1

[JENKINS-42891] Using `vars/pipeline.groovy` causes script-security error starting with Jenkins 2.32.3

Torben Knerr created issue - 2017-03-17 17:58

Torben Knerr made changes - 2017-03-17 18:02

Description

Original: We are using a global lib with `vars/pipeline.groovy` in Jenkins 2.32.1 and everything works fine. When using the same lib with Jenkins 2.32.3 we suddenly get failing pipeline builds with this error:   {code:java} org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter doTry org.jenkinsci.plugins.workflow.cps.CpsClosure2) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:183) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:117) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:103) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) ...{code}     The `vars/pipeline.groovy` looks as simple as that:   {code:java} def doStuff() {     echo "hello!" }{code}   And within our `Jenkinsfile` we call it like that:   {code:java} node {     stage("do stuff") {         pipeline.doStuff()     } }{code}   It pretty much looks like a script-security plugin issue on first sight. (this was updated from 1.25 to 1.27 when we use Jenkins 2.32.3).  However, after having simplified our `vars/pipeline.groovy` to such a mininmal helper method example there is really nothing that script security should complain about. But it still does throw the exception above. In a desperate move I renamed `vars/pipeline.groovy` to `vars/wat.groovy`, and guess what? It works... So my conclusion is that it must have something to do with either the name `pipeline.groovy`, or simply a variable named `pipeline` being implicitly defined in the global scope with newer Jenkins versions. I'm not sure which component exactly produces the error, so the ones I assigned are the most likely culprits for me.

New: We are using a global lib with `vars/pipeline.groovy` in Jenkins 2.32.1 and everything works fine. When using the same lib with Jenkins 2.32.3 we suddenly get failing pipeline builds with this error:   {code:java} org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter doTry org.jenkinsci.plugins.workflow.cps.CpsClosure2) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:183) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:117) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:103) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) ...{code}    The `vars/pipeline.groovy` looks as simple as that: {code:java} def doStuff() {     echo "hello!" }{code}   And within our `Jenkinsfile` we call it like that: {code:java} node {     stage("do stuff") {         pipeline.doStuff() // throws above exception     } }{code}   It pretty much looks like a script-security plugin issue on first sight. (this was updated from 1.25 to 1.27 when we use Jenkins 2.32.3).  However, after having simplified our `vars/pipeline.groovy` to such a mininmal helper method example there is really nothing that script security should complain about. But it still does throw the exception above. In a desperate move I renamed `vars/pipeline.groovy` to `vars/wat.groovy`, and guess what? It works... {code:java} node {     stage("do stuff") {         wat.doStuff() // works!     } } {code} So my conclusion is that it must have something to do with either the name `pipeline.groovy`, or simply a variable named `pipeline` being implicitly defined in the global scope with newer Jenkins versions. I'm not sure which component exactly produces the error, so the ones I assigned are the most likely culprits for me.

Collapse comment: Andrew Bayer added a comment - 2017-03-17 22:52

Andrew Bayer added a comment - 2017-03-17 22:52

Sadly, once you've got Declarative Pipelines installed (which comes automatically now), you can't have a variable in your Pipelines named pipeline, just as you can't have one named docker or scm or env - trying to use the same name as a global variable will just cause problems. So you should rename your vars/pipeline.groovy to something else. Sorry for the inconvenience.

Expand comment: Andrew Bayer added a comment - 2017-03-17 22:52

Andrew Bayer added a comment - 2017-03-17 22:52 Sadly, once you've got Declarative Pipelines installed (which comes automatically now), you can't have a variable in your Pipelines named pipeline , just as you can't have one named docker or scm or env - trying to use the same name as a global variable will just cause problems. So you should rename your vars/pipeline.groovy to something else. Sorry for the inconvenience.

Andrew Bayer made changes - 2017-03-17 22:52

Resolution		New: Not A Defect [ 7 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

Collapse comment: Torben Knerr added a comment - 2017-03-18 11:46

Torben Knerr added a comment - 2017-03-18 11:46

abayer I have assumed something like this, but this was only after hours of debugging.

Questions:

• Is this new behaviour documented somewhere, like a warning / breaking changes in the CHANGELOG?
• Can you point me to the complete list of variables that can no longer be used?
• Would it be possible to check for inappropriate usage of these vars and throw a proper exception with a meaningful message instead?

While I am somehow "sensitized" for this error now, I bet others will be tapping in the dark when they suddenly get totally unrelated exceptions like the one reported above.

What do you think?

 

Expand comment: Torben Knerr added a comment - 2017-03-18 11:46

Torben Knerr added a comment - 2017-03-18 11:46 abayer I have assumed something like this, but this was only after hours of debugging. Questions: Is this new behaviour documented somewhere, like a warning / breaking changes in the CHANGELOG? Can you point me to the complete list of variables that can no longer be used? Would it be possible to check for inappropriate usage of these vars and throw a proper exception with a meaningful message instead? While I am somehow "sensitized" for this error now, I bet others will be tapping in the dark when they suddenly get totally unrelated exceptions like the one reported above. What do you think?  

Collapse comment: Liam Newman added a comment - 2019-10-23 03:21

Liam Newman added a comment - 2019-10-23 03:21

Bulk closing resolved issues.

Expand comment: Liam Newman added a comment - 2019-10-23 03:21

Liam Newman added a comment - 2019-10-23 03:21 Bulk closing resolved issues.

Liam Newman made changes - 2019-10-23 03:21

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]