• Type: Bug
• Resolution: Unresolved
• Priority: Major
• Component/s: job-dsl-plugin, script-security-plugin
• Labels:

  None
• Environment:

  Jenkins 2.60.2
  Script Security 1.29.1
  Job DSL 1.64

[JENKINS-45778] readFileFromWorkspace Not Whitelisted for Script Security

Jamie Kelly created issue - 2017-07-25 13:16

Jamie Kelly made changes - 2017-07-25 13:16

Description

Original: On the Job DSL wiki ([https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security)] it states undr Groovy Sandboxing: {quote}"All Job DSL methods are whitelisted by default, but Jenkins access control checks are applied." {quote} However, when creating a freestyle job with the example from ([https://jenkinsci.github.io/job-dsl-plugin/#path/javaposse.jobdsl.dsl.DslFactory.pipelineJob-definition-cps)] as the DSL script, and running as an appropriately authorised user with sandboxing enabled, the following error message is displayed: {quote}ERROR: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (javaposse.jobdsl.dsl.helpers.workflow.CpsContext readFileFromWorkspace java.lang.String) {quote} The DSL for those interested: {{pipelineJob('example') \{}} {{  definition \{}} {{    cps }}{{\{ }} {{      script(readFileFromWorkspace('project-a-workflow.groovy'))}} {{      sandbox() }} {{    }}} {{  }}} {{}}}

New: On the Job DSL wiki ([https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security)] it states undr Groovy Sandboxing: {quote}"All Job DSL methods are whitelisted by default, but Jenkins access control checks are applied." {quote} However, when creating a freestyle job with the example from ([https://jenkinsci.github.io/job-dsl-plugin/#path/javaposse.jobdsl.dsl.DslFactory.pipelineJob-definition-cps)] as the DSL script, and running as an appropriately authorised user with sandboxing enabled, the following error message is displayed: {quote}ERROR: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (javaposse.jobdsl.dsl.helpers.workflow.CpsContext readFileFromWorkspace java.lang.String) {quote} The DSL for those interested: pipelineJob('example') \{     definition \{         cps \{             script(readFileFromWorkspace('project-a-workflow.groovy'))             sandbox()         }     } }

Jamie Kelly made changes - 2017-07-25 13:17

Summary

Original: DSL Methods Not Whitelisted for Script Security

New: readFileFromWorkspace Not Whitelisted for Script Security

Jamie Kelly made changes - 2017-07-25 13:36

Environment

Original: Jenkins 2.60.2 Latest plugins

New: Jenkins 2.60.2 Script Security 1.29.1 Job DSL 1.64

Jamie Kelly made changes - 2017-07-25 13:40

Priority

Original: Minor [ 4 ]

New: Major [ 3 ]

Collapse comment: Jamie Kelly added a comment - 2017-07-25 13:48

Jamie Kelly added a comment - 2017-07-25 13:48

I'm not sure if this is Minor or Major, feel free to adjust. My thought process behind choosing Major is that this issue stops the usage of Job DSL in a very general use case unless I click the button to approve the signature that has a red warning next to it saying not to approve it.

Expand comment: Jamie Kelly added a comment - 2017-07-25 13:48

Jamie Kelly added a comment - 2017-07-25 13:48 I'm not sure if this is Minor or Major, feel free to adjust. My thought process behind choosing Major is that this issue stops the usage of Job DSL in a very general use case unless I click the button to approve the signature that has a red warning next to it saying not to approve it.

Jesse Glick made changes - 2017-07-25 16:56

Component/s

Original: script-security-plugin [ 18520 ]

Collapse comment: Daniel Spilker added a comment - 2017-08-28 12:53

Daniel Spilker added a comment - 2017-08-28 12:53

This is a problem with the Groovy and probably sandbox. The method is not defined in the inner scope (cps), so it's trying to do a dynamic method invocation. That fails due to sandbox restrictions. Normally the method would be searched in the outer scopes (and finally found in the most outer scope), but that's not happening due to the Sandbox exception.

As a workaround you could move the call to the outer scope or for a method lookup on the outer scope:

def pipelineScript = readFileFromWorkspace('project-a-workflow.groovy')

pipelineJob('example') {
    definition {
        cps {
            script(pipelineScript)
            sandbox()
        }
    }
}

pipelineJob('example') {
    definition {
        cps {
            script(this.readFileFromWorkspace('project-a-workflow.groovy'))
            sandbox()
        }
    }
}

Expand comment: Daniel Spilker added a comment - 2017-08-28 12:53

Daniel Spilker added a comment - 2017-08-28 12:53 This is a problem with the Groovy and probably sandbox. The method is not defined in the inner scope ( cps ), so it's trying to do a dynamic method invocation. That fails due to sandbox restrictions. Normally the method would be searched in the outer scopes (and finally found in the most outer scope), but that's not happening due to the Sandbox exception. As a workaround you could move the call to the outer scope or for a method lookup on the outer scope: def pipelineScript = readFileFromWorkspace( 'project-a-workflow.groovy' ) pipelineJob( 'example' ) { definition { cps { script(pipelineScript) sandbox() } } } pipelineJob( 'example' ) { definition { cps { script( this .readFileFromWorkspace( 'project-a-workflow.groovy' )) sandbox() } } }

Daniel Spilker made changes - 2017-08-28 12:53

Component/s

New: script-security-plugin [ 18520 ]

Daniel Spilker made changes - 2017-08-28 12:53

Assignee

Original: Daniel Spilker [ daspilker ]