Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46391

Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • script-security-plugin
    • None
    • workflow-cps 2.39, script-security 1.33

      Outside the sandbox, the following will correctly echo java.util.regex.Pattern

      def f = ~/foo/
echo f.class.toString()

      But when sandboxed, it barfs with RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object.

      This is distinct to CPS-transformed code - if that's in a @NonCPS method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the ~/foo/ in sandboxed CPS code.

      EDIT: Amending to include the fact that staticMethod java.util.regex.Pattern compile java.lang.String is not whitelisted. That should be fixed too.

          [JENKINS-46391] Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted

          Andrew Bayer created issue -

          Andrew Bayer added a comment -

          Well, this is goofier than I thought. Turns out StringGroovyMethods.bitwiseNegate(String) actually returns a Pattern. Waaaaaat. So I guess this is simple enough to add to the whitelist.

          Andrew Bayer added a comment - Well, this is goofier than I thought. Turns out StringGroovyMethods.bitwiseNegate(String) actually returns a Pattern . Waaaaaat. So I guess this is simple enough to add to the whitelist.
          Andrew Bayer made changes -
          Summary Original: ~/foo/ rejected in sandbox as bitwiseNegate New: Neither ~/foo/ nor new java.util.regex.Pattern("foo") are whitelisted
          Andrew Bayer made changes -
          Description Original: Outside the sandbox, the following will correctly echo {{java.util.regex.Pattern}}
          {code}
          def f = ~/foo/
          echo f.class.toString()
          {code}
          But when sandboxed, it barfs with {{RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object}}.

          This is distinct to CPS-transformed code - if that's in a {{@NonCPS}} method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the {{~/foo/}} in sandboxed CPS code.           		New: Outside the sandbox, the following will correctly echo {{java.util.regex.Pattern}}
          {code}
          def f = ~/foo/
          echo f.class.toString()
          {code}
          But when sandboxed, it barfs with {{RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object}}.

          This is distinct to CPS-transformed code - if that's in a {{@NonCPS}} method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the {{~/foo/}} in sandboxed CPS code.

          EDIT: Amending to include the fact that {{new java.util.regex.Pattern java.lang.String}} is not whitelisted. That should be fixed too.
          Andrew Bayer made changes -
          Summary Original: Neither ~/foo/ nor new java.util.regex.Pattern("foo") are whitelisted New: Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted
          Andrew Bayer made changes -
          Description Original: Outside the sandbox, the following will correctly echo {{java.util.regex.Pattern}}
          {code}
          def f = ~/foo/
          echo f.class.toString()
          {code}
          But when sandboxed, it barfs with {{RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object}}.

          This is distinct to CPS-transformed code - if that's in a {{@NonCPS}} method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the {{~/foo/}} in sandboxed CPS code.

          EDIT: Amending to include the fact that {{new java.util.regex.Pattern java.lang.String}} is not whitelisted. That should be fixed too.           		New: Outside the sandbox, the following will correctly echo {{java.util.regex.Pattern}}
          {code}
          def f = ~/foo/
          echo f.class.toString()
          {code}
          But when sandboxed, it barfs with {{RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object}}.

          This is distinct to CPS-transformed code - if that's in a {{@NonCPS}} method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the {{~/foo/}} in sandboxed CPS code.

          EDIT: Amending to include the fact that {{staticMethod java.util.regex.Pattern compile java.lang.String}} is not whitelisted. That should be fixed too.
          Andrew Bayer made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Andrew Bayer made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]

          Andrew Bayer added a comment -

          PRs up at script-security with the actual fix and workflow-cps verifying it.

          Andrew Bayer added a comment - PRs up at script-security with the actual fix and workflow-cps verifying it.
          Andrew Bayer made changes -
          Remote Link New: This issue links to "script-security PR #146 (Web Link)" [ 17509 ]

            abayer Andrew Bayer
            abayer Andrew Bayer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: