Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46088

unclassified staticMethod when assigning java.util.regex.Matcher in included script



    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
    • Environment:
      Jenkins 2.60.2 .war on Ubuntu
      Script Security Plugin 1.31
      Groovy Plugin 2.0
    • Similar Issues:


      Steps to reproduce:

      Run Jenkins 2.60.2 with latest Script Security Plugin (1.31). Create a freestyle job that runs a system groovy script from a script file /tmp/minimal.groovy (!, bug does not appear if the script is defined in the job itself).

      Sample job config.xml is attached.

      Contents of /tmp/minimal.groovy :

      java.util.regex.Matcher m = "asdf" =~ /(a)/

      Run the job.

      Observed result

      ERROR: Build step failed with exception
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified staticMethod org.kohsuke.groovy.sandbox.impl.Checker checkedStaticCall java.lang.Class java.lang.String java.lang.String java.lang.String
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:146)
      	at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:184)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:188)
      	at org.kohsuke.groovy.sandbox.impl.Checker$checkedStaticCall$1.callStatic(Unknown Source)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:222)
      	at Script1.run(Script1.groovy:1)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:165)
      	at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
      	at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:735)
      	at hudson.model.Build$BuildExecution.build(Build.java:206)
      	at hudson.model.Build$BuildExecution.doRun(Build.java:163)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:490)
      	at hudson.model.Run.execute(Run.java:1735)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:97)
      	at hudson.model.Executor.run(Executor.java:405)

      Expected result

      Script runs without error.

      Known mitigations

      Changing the script to:

      def m = "asdf" =~ /(a)/

      That is, removing the explicit type declaration solves the problem.

      Also, copying the script into the job definition doesn't trigger the error.


      Since the explicit type declaration is not idiomatic usage anyways and the workaround is simple, I don't think it's highly important but would like to understand why this fails in any case.


          Issue Links


            schoeneu Urs Schoenenberger created issue -
            abayer Andrew Bayer made changes -
            Field Original Value New Value
            Priority Minor [ 4 ] Critical [ 2 ]
            abayer Andrew Bayer made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            abayer Andrew Bayer made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            abayer Andrew Bayer made changes -
            Remote Link This issue links to "groovy-sandbox PR #37 (Web Link)" [ 17434 ]
            abayer Andrew Bayer made changes -
            Assignee Andrew Bayer [ abayer ]
            abayer Andrew Bayer made changes -
            Remote Link This issue links to "script-security PR #139 (Web Link)" [ 17435 ]
            jglick Jesse Glick made changes -
            Link This issue relates to SECURITY-580 [ SECURITY-580 ]
            abayer Andrew Bayer made changes -
            Priority Critical [ 2 ] Blocker [ 1 ]
            abayer Andrew Bayer made changes -
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Resolved [ 5 ]
            abayer Andrew Bayer made changes -
            Link This issue is duplicated by JENKINS-46195 [ JENKINS-46195 ]


              abayer Andrew Bayer
              schoeneu Urs Schoenenberger
              0 Vote for this issue
              7 Start watching this issue