[JENKINS-43813] Scripts not permitted to use a method already approve in In-process Script Approval GUI

Rich Schumacher added a comment - 2017-04-25 18:43 - edited

I'm seeing the same thing with my custom parsers; the built-in warning parsers seem to be fine.

Jenkins version: 2.19.4
warnings plugin version: 4.62
analysis-core plugin version: 1.86

Rich Schumacher added a comment - 2017-04-25 18:43 - edited I'm seeing the same thing with my custom parsers; the built-in warning parsers seem to be fine. Jenkins version: 2.19.4 warnings plugin version: 4.62 analysis-core plugin version: 1.86

Romaric CRAILOX added a comment - 2017-04-26 15:08

I work on :

Jenkins 2.55
I don't have warning and analysis-core plugin in my plugin list

Romaric CRAILOX added a comment - 2017-04-26 15:08 I work on : Jenkins 2.55 I don't have warning and analysis-core plugin in my plugin list

Romaric CRAILOX added a comment - 2017-04-26 15:13

Furthermore I have Permissive Script Security Plugin installed...

Romaric CRAILOX added a comment - 2017-04-26 15:13 Furthermore I have Permissive Script Security Plugin installed...

Derrick Gibelyou added a comment - 2017-04-26 17:43

Same here. I was able to revert to 4.60 as a work around.

Derrick Gibelyou added a comment - 2017-04-26 17:43 Same here. I was able to revert to 4.60 as a work around.

Romaric CRAILOX added a comment - 2017-04-27 06:19

derrickgw, which elements do you give the version ?

Romaric CRAILOX added a comment - 2017-04-27 06:19 derrickgw , which elements do you give the version ?

Derrick Gibelyou added a comment - 2017-04-27 15:24

romaric, I'm not sure I understand your question, but I will elaborate.

I am using Jenkins 2.32.3 & analysis-core ("Static Analysis Utilities") version 1.86.

Using the Warnings plugin 4.62 prevents my custom error parsers from working. Downgrading back to 4.60 works as expected.

The commit that broke it is this one: https://github.com/jenkinsci/warnings-plugin/commit/c59dd109dab6cf3a9f28ab6b221d402726d0f4aa

The commit comment says it all: "Merged security fixes into master (Groovy Sandbox for parsers)". The thing is, only admins can edit the parsers, since they live on the system configuration page. So if an admin writes the script, it should be automatically approved, and not have to run in the sandbox. I don't see how making the admin approve the scripts that he just wrote adds anything to security.

Derrick Gibelyou added a comment - 2017-04-27 15:24 romaric , I'm not sure I understand your question, but I will elaborate. I am using Jenkins 2.32.3 & analysis-core ("Static Analysis Utilities") version 1.86. Using the Warnings plugin 4.62 prevents my custom error parsers from working. Downgrading back to 4.60 works as expected. The commit that broke it is this one: https://github.com/jenkinsci/warnings-plugin/commit/c59dd109dab6cf3a9f28ab6b221d402726d0f4aa The commit comment says it all: "Merged security fixes into master (Groovy Sandbox for parsers)". The thing is, only admins can edit the parsers, since they live on the system configuration page. So if an admin writes the script, it should be automatically approved, and not have to run in the sandbox. I don't see how making the admin approve the scripts that he just wrote adds anything to security.

Romaric CRAILOX added a comment - 2017-05-02 14:57 - edited

derrickgw, yes you had understood well my question, thanks for the workaround, it is working for mee too.

I update the ticket.

Romaric CRAILOX added a comment - 2017-05-02 14:57 - edited derrickgw , yes you had understood well my question, thanks for the workaround, it is working for mee too. I update the ticket.

Paul Schwann added a comment - 2017-05-04 08:33 - edited

Hi there, just my 2 cents:

Approving the scripts doesnt help me. I have approved everything I could find multiple times but not change.
The problemantic error message is shown when parsing a log file, not the output log.
I have the warning plugin 4.62 and can only revert to 4.61, not 4.60 as suggested in previous comments.
In Jenkins script approval settings screen, I have the notification that method java.util.regex.MatchResult group int needs to be approved. But its is already listed in both text boxes as approved:

So I am stuck now with a partly dysfunctional Jenkins which is pretty sad. Is there anything I can do?

Thank you!

Best Regards

Paul

Paul Schwann added a comment - 2017-05-04 08:33 - edited Hi there, just my 2 cents: Approving the scripts doesnt help me. I have approved everything I could find multiple times but not change. The problemantic error message is shown when parsing a log file, not the output log. I have the warning plugin 4.62 and can only revert to 4.61, not 4.60 as suggested in previous comments. In Jenkins script approval settings screen, I have the notification that method java.util.regex.MatchResult group int needs to be approved. But its is already listed in both text boxes as approved: So I am stuck now with a partly dysfunctional Jenkins which is pretty sad. Is there anything I can do? Thank you! Best Regards Paul

Romaric CRAILOX added a comment - 2017-05-09 06:32

Sorry Paul Schwann, can't help you... I don't know why you can't revert warning plugin before 4.61...

Romaric CRAILOX added a comment - 2017-05-09 06:32 Sorry Paul Schwann, can't help you... I don't know why you can't revert warning plugin before 4.61...

Roman Zwi added a comment - 2017-05-22 09:02

For us it's quite serious that the parser failes silently - so we are happily getting successful builds although they should have failed.
It took some days until we got aware of this - during this time we could've merged faulty code without knowing.

Roman Zwi added a comment - 2017-05-22 09:02 For us it's quite serious that the parser failes silently - so we are happily getting successful builds although they should have failed. It took some days until we got aware of this - during this time we could've merged faulty code without knowing.

Nico Falk added a comment - 2017-06-01 05:27

Same problem here.

Could also be "fixed" by downgrading to 4.60

In my case, the problem with 4.62 occurs on node only, not on jobs running on master.

Nico Falk added a comment - 2017-06-01 05:27 Same problem here. Could also be "fixed" by downgrading to 4.60 In my case, the problem with 4.62 occurs on node only, not on jobs running on master.

Nico Falk added a comment - 2017-06-07 04:49

Please have a look at ~~JENKINS-44332~~

There, I posted steps to reproduce the problem. Not sure if it is this plugin or script security plugin

Nico Falk added a comment - 2017-06-07 04:49 Please have a look at JENKINS-44332 There, I posted steps to reproduce the problem. Not sure if it is this plugin or script security plugin

Nico Falk added a comment - 2017-06-09 04:10

Steps to reproduce:

1) Install warnings plugin 4.62

2) Go to "Manage Jenkins" -> "Configure System" -> "Compiler Warnings"

3) Add parser as shown in attached screenshot (parser.PNG)

4) Generate freestyle job and add a build step (here: Windows batch) and post build action as shown in attached screenshot (job.PNG)

5) Run the job on master (therefore, you can select "Restrict where this project can be run" to "master" in the job configuration)

6) It should work (probably you need to approve permissions) and you should see the following console output:
[WARNINGS] Parsing warnings in files 'foo.txt' with parser Dummy Parser
[WARNINGS] Searching for all files in C:\Program Files (x86)\Jenkins\workspace\TestWarnings that match the pattern foo.txt
[WARNINGS] Parsing 1 file in C:\Program Files (x86)\Jenkins\workspace\TestWarnings
[WARNINGS] Successfully parsed file C:\Program Files (x86)\Jenkins\workspace\TestWarnings\foo.txt with 1 unique warning and 0 duplicates.
[WARNINGS] Computing warning deltas based on reference build #9
Finished: SUCCESS
7) Change "Restrict where this project can be run" to a node (yes, sorry, you need to have a node) and start the job again. Now, you always see a pending approval which was already approved. After approving, you can run the job again on the node and the signature needs approval again. The console output of the job is like:
[WARNINGS] Parsing warnings in files 'foo.txt' with parser Dummy Parser
[WARNINGS] Groovy sandbox rejected the parsing script for parser Dummy Parser: Scripts not permitted to use new hudson.plugins.warnings.parser.Warning java.lang.String int java.lang.String java.lang.String java.lang.String. You will need to manually approve the call in the Script Approval UI.
[WARNINGS] Computing warning deltas based on reference build #8
You see, that parsing the script was rejected!

Nico Falk added a comment - 2017-06-09 04:10 Steps to reproduce: 1) Install warnings plugin 4.62 2) Go to "Manage Jenkins" -> "Configure System" -> "Compiler Warnings" 3) Add parser as shown in attached screenshot (parser.PNG) 4) Generate freestyle job and add a build step (here: Windows batch) and post build action as shown in attached screenshot (job.PNG) 5) Run the job on master (therefore, you can select "Restrict where this project can be run" to "master" in the job configuration) 6) It should work (probably you need to approve permissions) and you should see the following console output: [WARNINGS] Parsing warnings in files 'foo.txt' with parser Dummy Parser [WARNINGS] Searching for all files in C:\Program Files (x86)\Jenkins\workspace\TestWarnings that match the pattern foo.txt [WARNINGS] Parsing 1 file in C:\Program Files (x86)\Jenkins\workspace\TestWarnings [WARNINGS] Successfully parsed file C:\Program Files (x86)\Jenkins\workspace\TestWarnings\foo.txt with 1 unique warning and 0 duplicates. [WARNINGS] Computing warning deltas based on reference build #9 Finished: SUCCESS 7) Change "Restrict where this project can be run" to a node (yes, sorry, you need to have a node) and start the job again. Now, you always see a pending approval which was already approved. After approving, you can run the job again on the node and the signature needs approval again. The console output of the job is like: [WARNINGS] Parsing warnings in files 'foo.txt' with parser Dummy Parser [WARNINGS] Groovy sandbox rejected the parsing script for parser Dummy Parser: Scripts not permitted to use new hudson.plugins.warnings.parser.Warning java.lang.String int java.lang.String java.lang.String java.lang.String. You will need to manually approve the call in the Script Approval UI. [WARNINGS] Computing warning deltas based on reference build #8 You see, that parsing the script was rejected!

Ulli Hafner added a comment - 2017-06-20 22:21

Thanks for the detailed steps to reproduce. Indeed, the current implementation in 4.61 and newer does not run on agents, only on the master. This is due to the fact, that the script security plug-in does not support scripts that run on an agent, only scripts on the master are supported so far.

Ulli Hafner added a comment - 2017-06-20 22:21 Thanks for the detailed steps to reproduce. Indeed, the current implementation in 4.61 and newer does not run on agents, only on the master. This is due to the fact, that the script security plug-in does not support scripts that run on an agent, only scripts on the master are supported so far.

SCM/JIRA link daemon added a comment - 2017-07-13 20:03

Code changed in jenkins
User: Ulli Hafner
Path:
analysis-core.iml
pom.xml
src/main/java/hudson/plugins/analysis/util/model/AbstractAnnotation.java
src/main/java/hudson/plugins/analysis/util/model/Priority.java
http://jenkins-ci.org/commit/analysis-core-plugin/14be26db0efdf5085b1aaab6149cc7b0f448d98e
Log:
[FIXED JENKINS-43813] Remove dependency to script-security-plugin.