Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46391

Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • script-security-plugin
    • None
    • workflow-cps 2.39, script-security 1.33

      Outside the sandbox, the following will correctly echo java.util.regex.Pattern

      def f = ~/foo/
      echo f.class.toString()
      

      But when sandboxed, it barfs with RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object.

      This is distinct to CPS-transformed code - if that's in a @NonCPS method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the ~/foo/ in sandboxed CPS code.

      EDIT: Amending to include the fact that staticMethod java.util.regex.Pattern compile java.lang.String is not whitelisted. That should be fixed too.

          [JENKINS-46391] Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted

          Andrew Bayer added a comment -

          Well, this is goofier than I thought. Turns out StringGroovyMethods.bitwiseNegate(String) actually returns a Pattern. Waaaaaat. So I guess this is simple enough to add to the whitelist.

          Andrew Bayer added a comment - Well, this is goofier than I thought. Turns out StringGroovyMethods.bitwiseNegate(String) actually returns a Pattern . Waaaaaat. So I guess this is simple enough to add to the whitelist.

          Andrew Bayer added a comment -

          PRs up at script-security with the actual fix and workflow-cps verifying it.

          Andrew Bayer added a comment - PRs up at script-security with the actual fix and workflow-cps verifying it.

          Code changed in jenkins
          User: Andrew Bayer
          Path:
          src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
          src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
          http://jenkins-ci.org/commit/script-security-plugin/3358ff52906ae83202e5b6c95a46eecdae0ee864
          Log:
          [FIXED JENKINS-46391] Fix ~/foo/ and whitelist other Pattern stuff

          CPS code ends up calling `~/foo/` as
          `ScriptBytecodeAdapter.bitwiseNegate(Object)`, so we need to whitelist
          that. Through whacky Groovy magic, that'll end up resulting in a call
          behind the scenes to
          `StringGroovyMethods.bitwiseNegate(CharSequence)`, which returns... a
          `Pattern`. Because of course it does. So tada.

          Also whitelisted `Pattern.compile(String)` and
          `Pattern#matcher(CharSequence)` since they seem worth whitelisting
          while we're doing `Pattern`-related stuff.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java http://jenkins-ci.org/commit/script-security-plugin/3358ff52906ae83202e5b6c95a46eecdae0ee864 Log: [FIXED JENKINS-46391] Fix ~/foo/ and whitelist other Pattern stuff CPS code ends up calling `~/foo/` as `ScriptBytecodeAdapter.bitwiseNegate(Object)`, so we need to whitelist that. Through whacky Groovy magic, that'll end up resulting in a call behind the scenes to `StringGroovyMethods.bitwiseNegate(CharSequence)`, which returns... a `Pattern`. Because of course it does. So tada. Also whitelisted `Pattern.compile(String)` and `Pattern#matcher(CharSequence)` since they seem worth whitelisting while we're doing `Pattern`-related stuff.

          Andrew Bayer added a comment -

          Merged - will be in next script-security release (1.34). Need to remember to update/merge https://github.com/jenkinsci/workflow-cps-plugin/pull/169 then too.

          Andrew Bayer added a comment - Merged - will be in next script-security release (1.34). Need to remember to update/merge https://github.com/jenkinsci/workflow-cps-plugin/pull/169 then too.

          Code changed in jenkins
          User: Andrew Bayer
          Path:
          pom.xml
          src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java
          http://jenkins-ci.org/commit/workflow-cps-plugin/11a0698d35a6c3c7f6230a0e977dc5b3df3853d9
          Log:
          JENKINS-46391 Test verifying CPS-specific ~/foo/ behavior

          Downstream of https://github.com/jenkinsci/script-security-plugin/pull/146

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: pom.xml src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java http://jenkins-ci.org/commit/workflow-cps-plugin/11a0698d35a6c3c7f6230a0e977dc5b3df3853d9 Log: JENKINS-46391 Test verifying CPS-specific ~/foo/ behavior Downstream of https://github.com/jenkinsci/script-security-plugin/pull/146

          Code changed in jenkins
          User: Andrew Bayer
          Path:
          src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java
          http://jenkins-ci.org/commit/workflow-cps-plugin/b8da29173f91a95973ecbfa63806940f465666ff
          Log:
          Merge pull request #169 from abayer/jenkins-46391

          JENKINS-46391 Test verifying CPS-specific ~/foo/ behavior

          Compare: https://github.com/jenkinsci/workflow-cps-plugin/compare/1c6e51ab0e13...b8da29173f91

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java http://jenkins-ci.org/commit/workflow-cps-plugin/b8da29173f91a95973ecbfa63806940f465666ff Log: Merge pull request #169 from abayer/jenkins-46391 JENKINS-46391 Test verifying CPS-specific ~/foo/ behavior Compare: https://github.com/jenkinsci/workflow-cps-plugin/compare/1c6e51ab0e13...b8da29173f91

            abayer Andrew Bayer
            abayer Andrew Bayer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: