Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Blocker
-
Resolution: Fixed
-
Component/s: script-security-plugin
-
Labels:None
-
Environment:Jenkins 2.60.2 .war on Ubuntu
Script Security Plugin 1.31
Groovy Plugin 2.0
-
Similar Issues:
Description
Steps to reproduce:
Run Jenkins 2.60.2 with latest Script Security Plugin (1.31). Create a freestyle job that runs a system groovy script from a script file /tmp/minimal.groovy (!, bug does not appear if the script is defined in the job itself).
Sample job config.xml is attached.
Contents of /tmp/minimal.groovy :
java.util.regex.Matcher m = "asdf" =~ /(a)/
Run the job.
Observed result
ERROR: Build step failed with exception org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified staticMethod org.kohsuke.groovy.sandbox.impl.Checker checkedStaticCall java.lang.Class java.lang.String java.lang.String java.lang.String at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:146) at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:184) at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:188) at org.kohsuke.groovy.sandbox.impl.Checker$checkedStaticCall$1.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:222) at Script1.run(Script1.groovy:1) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:165) at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95) at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:735) at hudson.model.Build$BuildExecution.build(Build.java:206) at hudson.model.Build$BuildExecution.doRun(Build.java:163) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:490) at hudson.model.Run.execute(Run.java:1735) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:405)
Expected result
Script runs without error.
Known mitigations
Changing the script to:
def m = "asdf" =~ /(a)/
That is, removing the explicit type declaration solves the problem.
Also, copying the script into the job definition doesn't trigger the error.
Priority
Since the explicit type declaration is not idiomatic usage anyways and the workaround is simple, I don't think it's highly important but would like to understand why this fails in any case.
Attachments
Issue Links
- is duplicated by
-
JENKINS-46195 Assignment from a method doesn't work in a closure
-
- Closed
-
- links to
Code changed in jenkins
User: Andrew Bayer
Path:
pom.xml
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/7a81a076e46e8638a80313bca2a9d5eaf3c56b24
Log:
Merge pull request #139 from abayer/jenkins-46088
JENKINS-46088Verify removal of double transform of cast expressionCompare: https://github.com/jenkinsci/script-security-plugin/compare/ea5ce369c4ed...7a81a076e46e