Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45778

readFileFromWorkspace Not Whitelisted for Script Security

      On the Job DSL wiki (https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security) it states undr Groovy Sandboxing:

      "All Job DSL methods are whitelisted by default, but Jenkins access control checks are applied."

      However, when creating a freestyle job with the example from (https://jenkinsci.github.io/job-dsl-plugin/#path/javaposse.jobdsl.dsl.DslFactory.pipelineJob-definition-cps) as the DSL script, and running as an appropriately authorised user with sandboxing enabled, the following error message is displayed:

      ERROR: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (javaposse.jobdsl.dsl.helpers.workflow.CpsContext readFileFromWorkspace java.lang.String)

      The DSL for those interested:
      pipelineJob('example') {
      definition {
      cps {
      script(readFileFromWorkspace('project-a-workflow.groovy'))
      sandbox()
      }
      }
      }

          [JENKINS-45778] readFileFromWorkspace Not Whitelisted for Script Security

          Jamie Kelly added a comment -

          I'm not sure if this is Minor or Major, feel free to adjust. My thought process behind choosing Major is that this issue stops the usage of Job DSL in a very general use case unless I click the button to approve the signature that has a red warning next to it saying not to approve it.

          Jamie Kelly added a comment - I'm not sure if this is Minor or Major, feel free to adjust. My thought process behind choosing Major is that this issue stops the usage of Job DSL in a very general use case unless I click the button to approve the signature that has a red warning next to it saying not to approve it.

          This is a problem with the Groovy and probably sandbox. The method is not defined in the inner scope (cps), so it's trying to do a dynamic method invocation. That fails due to sandbox restrictions. Normally the method would be searched in the outer scopes (and finally found in the most outer scope), but that's not happening due to the Sandbox exception.

          As a workaround you could move the call to the outer scope or for a method lookup on the outer scope:

          def pipelineScript = readFileFromWorkspace('project-a-workflow.groovy')
          
          pipelineJob('example') {
              definition {
                  cps {
                      script(pipelineScript)
                      sandbox()
                  }
              }
          }
          
          pipelineJob('example') {
              definition {
                  cps {
                      script(this.readFileFromWorkspace('project-a-workflow.groovy'))
                      sandbox()
                  }
              }
          }
          

          Daniel Spilker added a comment - This is a problem with the Groovy and probably sandbox. The method is not defined in the inner scope ( cps ), so it's trying to do a dynamic method invocation. That fails due to sandbox restrictions. Normally the method would be searched in the outer scopes (and finally found in the most outer scope), but that's not happening due to the Sandbox exception. As a workaround you could move the call to the outer scope or for a method lookup on the outer scope: def pipelineScript = readFileFromWorkspace( 'project-a-workflow.groovy' ) pipelineJob( 'example' ) { definition { cps { script(pipelineScript) sandbox() } } } pipelineJob( 'example' ) { definition { cps { script( this .readFileFromWorkspace( 'project-a-workflow.groovy' )) sandbox() } } }

            Unassigned Unassigned
            jk563 Jamie Kelly
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: