• Type: Bug
• Resolution: Not A Defect
• Priority: Minor
• Component/s: pipeline-model-definition-plugin, script-security-plugin, workflow-cps-global-lib-plugin
• Labels:

  None
• Environment:

  Jenkins 2.32.3 LTS, with
  - script-security 1.27
  - workflow-cps-global-lib 2.7
  - pipeline-model-definition 1.1.1

[JENKINS-42891] Using `vars/pipeline.groovy` causes script-security error starting with Jenkins 2.32.3

Torben Knerr created issue - 2017-03-17 17:58

Torben Knerr made changes - 2017-03-17 18:02

Description

Original: We are using a global lib with `vars/pipeline.groovy` in Jenkins 2.32.1 and everything works fine. When using the same lib with Jenkins 2.32.3 we suddenly get failing pipeline builds with this error:   {code:java} org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter doTry org.jenkinsci.plugins.workflow.cps.CpsClosure2) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:183) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:117) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:103) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) ...{code}     The `vars/pipeline.groovy` looks as simple as that:   {code:java} def doStuff() {     echo "hello!" }{code}   And within our `Jenkinsfile` we call it like that:   {code:java} node {     stage("do stuff") {         pipeline.doStuff()     } }{code}   It pretty much looks like a script-security plugin issue on first sight. (this was updated from 1.25 to 1.27 when we use Jenkins 2.32.3).  However, after having simplified our `vars/pipeline.groovy` to such a mininmal helper method example there is really nothing that script security should complain about. But it still does throw the exception above. In a desperate move I renamed `vars/pipeline.groovy` to `vars/wat.groovy`, and guess what? It works... So my conclusion is that it must have something to do with either the name `pipeline.groovy`, or simply a variable named `pipeline` being implicitly defined in the global scope with newer Jenkins versions. I'm not sure which component exactly produces the error, so the ones I assigned are the most likely culprits for me.

New: We are using a global lib with `vars/pipeline.groovy` in Jenkins 2.32.1 and everything works fine. When using the same lib with Jenkins 2.32.3 we suddenly get failing pipeline builds with this error:   {code:java} org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter doTry org.jenkinsci.plugins.workflow.cps.CpsClosure2) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:183) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:117) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:103) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) ...{code}    The `vars/pipeline.groovy` looks as simple as that: {code:java} def doStuff() {     echo "hello!" }{code}   And within our `Jenkinsfile` we call it like that: {code:java} node {     stage("do stuff") {         pipeline.doStuff() // throws above exception     } }{code}   It pretty much looks like a script-security plugin issue on first sight. (this was updated from 1.25 to 1.27 when we use Jenkins 2.32.3).  However, after having simplified our `vars/pipeline.groovy` to such a mininmal helper method example there is really nothing that script security should complain about. But it still does throw the exception above. In a desperate move I renamed `vars/pipeline.groovy` to `vars/wat.groovy`, and guess what? It works... {code:java} node {     stage("do stuff") {         wat.doStuff() // works!     } } {code} So my conclusion is that it must have something to do with either the name `pipeline.groovy`, or simply a variable named `pipeline` being implicitly defined in the global scope with newer Jenkins versions. I'm not sure which component exactly produces the error, so the ones I assigned are the most likely culprits for me.

Andrew Bayer made changes - 2017-03-17 22:52

Resolution		New: Not A Defect [ 7 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

Liam Newman made changes - 2019-10-23 03:21

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]