-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
None
-
2.60.1
We have rather complex build scripts in groovy to deal. After upgrade to 2.60.1 they start fail with:
*14:18:45* ERROR: Build step failed with exception*14:18:45* org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified field java.io.File text*14:18:45* at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:367)*14:18:45* at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onSetProperty(SandboxInterceptor.java:217)*14:18:45* at org.kohsuke.groovy.sandbox.impl.Checker$5.call(Checker.java:297)*14:18:45* at org.kohsuke.groovy.sandbox.impl.Checker.checkedSetProperty(Checker.java:294)*14:18:45* at org.kohsuke.groovy.sandbox.impl.Checker$checkedSetProperty$2.callStatic(Unknown Source)*14:18:45* at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)*14:18:45* at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)*14:18:45* at Script1.run(Script1.groovy:11)*14:18:45* at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)*14:18:45* at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:165)*14:18:45* at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)*14:18:45* at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)*14:18:45* at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)*14:18:45* at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:735)*14:18:45* at hudson.model.Build$BuildExecution.build(Build.java:206)*14:18:45* at hudson.model.Build$BuildExecution.doRun(Build.java:163)*14:18:45* at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:490)*14:18:45* at hudson.model.Run.execute(Run.java:1735)*14:18:45* at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)*14:18:45* at hudson.model.ResourceController.execute(ResourceController.java:97)*14:18:45* at hudson.model.Executor.run(Executor.java:405)*14:18:45* Build step 'Execute system Groovy script' marked build as failure
Issues
- the 'field java.io.File text' was not offered in /scriptApproval
- after being added manually in xml it still failing with the same error (though i can see it in 'Signatures already approved')
- Permissive security plugin doesn't help
So, we ended up with completely broken builds without any fallback options.
Job Configuration
Problematic step: Execute system Groovy script + Groovy script file
Code:
final File tmp = File.createTempFile(...) tmp.text = build.project.workspace.child('somefile').readToString()
- links to
unclassified errors do not indicate that some signature is being rejected. They indicate that Jenkins cannot figure out what signature you were even trying to call. In this case you were trying to use this GDK method which for reasons TBD was not recognized. (Normally DefaultGroovyMethods is supported.) Possibly a dupe of one of the other bugs in this plugin.
The workaround is the usual one: use actual methods defined in the Java Platform.
(In this case you were trying to do local file operations, which are never going to be supported in sandbox mode since they are inherently security holes. You must use whole-script approval, or stop trying to use local files.)