Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43844

No way to configure classpath for groovy script files

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • groovy-plugin
    • Jenkins 2.46.1
      Groovy-Plugin 2.0
      Windows host

      Since the update to Groovy-Plugin 2.0, the edit field for specifying a classpath is missing in the build step "Execute system groovy script" when running a groovy script file. 

      I do understand, why you removed this feature (security), but now my scripts don't work any more, because they don't find the imported groovy classes any more. 

      Is there a better way for achieving a similiar functionality like specifying a classpath? Or is it possible to specify it in another way? Or do I have to change my scripts? If it is the latter one: how do I have to change them without adding new security risks?

      In case there is no recommended solution or a workaround, we have to downgrade the Groovy-Plugin.

       

          [JENKINS-43844] No way to configure classpath for groovy script files

          David Kruger added a comment -

          We have the same problem here, since we split our code into multiple groovy classes in separate files in order to re-use them across scripts.

          David Kruger added a comment - We have the same problem here, since we split our code into multiple groovy classes in separate files in order to re-use them across scripts.

          After some digging, actually we found a workaround, leveraging some groovy magic. I hope this is not again considered as a security flaw.

          def workspace = build.properties.get('envVars').get('WORKSPACE');
          def cl = new GroovyClassLoader(this.class.classLoader);
          cl.addURL(new File("${workspace}/").toURL()); // whatever path you need to add
          def shell = new GroovyShell(cl, getBinding());
          def myScript = shell.parse(new File("${workspace}/StaticBuildJobAnalysis.groovy")); // whatever your script is
          myScript.run();
          

          Andreas Mandel added a comment - After some digging, actually we found a workaround, leveraging some groovy magic. I hope this is not again considered as a security flaw. def workspace = build.properties.get( 'envVars' ).get( 'WORKSPACE' ); def cl = new GroovyClassLoader( this . class. classLoader); cl.addURL( new File( "${workspace}/" ).toURL()); // whatever path you need to add def shell = new GroovyShell(cl, getBinding()); def myScript = shell.parse( new File( "${workspace}/StaticBuildJobAnalysis.groovy" )); // whatever your script is myScript.run();

          David Kruger added a comment -

          Thanks that works for me. It is doing exactly what the developers of the Script Security Plugin don't want, but I think it's the only way for now.

          https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin

          Whatever you choose, do not allow an unprivileged user to add arbitrary classpath entries by making a URLClassLoader! This would make it trivial to bypass all security when using the sandbox.

          David Kruger added a comment - Thanks that works for me. It is doing exactly what the developers of the Script Security Plugin don't want, but I think it's the only way for now. https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin Whatever you choose, do not allow an unprivileged user to add arbitrary classpath entries by making a URLClassLoader ! This would make it trivial to bypass all security when using the sandbox.

          Sure, but that is what we need to get the scripts working again - I do not expect that this works without a script approval - if it is not added by an admin - so everything should be fine?

          Andreas Mandel added a comment - Sure, but that is what we need to get the scripts working again - I do not expect that this works without a script approval - if it is not added by an admin - so everything should be fine?

            vjuranek vjuranek
            hardy Hardy Koebe
            Votes:
            5 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: