Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46391

Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • script-security-plugin
    • None
    • workflow-cps 2.39, script-security 1.33

      Outside the sandbox, the following will correctly echo java.util.regex.Pattern

      def f = ~/foo/
echo f.class.toString()

      But when sandboxed, it barfs with RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object.

      This is distinct to CPS-transformed code - if that's in a @NonCPS method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the ~/foo/ in sandboxed CPS code.

      EDIT: Amending to include the fact that staticMethod java.util.regex.Pattern compile java.lang.String is not whitelisted. That should be fixed too.

          [JENKINS-46391] Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted

          Andrew Bayer created issue -
          Andrew Bayer made changes -
          Summary Original: ~/foo/ rejected in sandbox as bitwiseNegate New: Neither ~/foo/ nor new java.util.regex.Pattern("foo") are whitelisted
          Andrew Bayer made changes -
          Description Original: Outside the sandbox, the following will correctly echo {{java.util.regex.Pattern}}
          {code}
          def f = ~/foo/
          echo f.class.toString()
          {code}
          But when sandboxed, it barfs with {{RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object}}.

          This is distinct to CPS-transformed code - if that's in a {{@NonCPS}} method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the {{~/foo/}} in sandboxed CPS code.           		New: Outside the sandbox, the following will correctly echo {{java.util.regex.Pattern}}
          {code}
          def f = ~/foo/
          echo f.class.toString()
          {code}
          But when sandboxed, it barfs with {{RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object}}.

          This is distinct to CPS-transformed code - if that's in a {{@NonCPS}} method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the {{~/foo/}} in sandboxed CPS code.

          EDIT: Amending to include the fact that {{new java.util.regex.Pattern java.lang.String}} is not whitelisted. That should be fixed too.
          Andrew Bayer made changes -
          Summary Original: Neither ~/foo/ nor new java.util.regex.Pattern("foo") are whitelisted New: Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted
          Andrew Bayer made changes -
          Description Original: Outside the sandbox, the following will correctly echo {{java.util.regex.Pattern}}
          {code}
          def f = ~/foo/
          echo f.class.toString()
          {code}
          But when sandboxed, it barfs with {{RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object}}.

          This is distinct to CPS-transformed code - if that's in a {{@NonCPS}} method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the {{~/foo/}} in sandboxed CPS code.

          EDIT: Amending to include the fact that {{new java.util.regex.Pattern java.lang.String}} is not whitelisted. That should be fixed too.           		New: Outside the sandbox, the following will correctly echo {{java.util.regex.Pattern}}
          {code}
          def f = ~/foo/
          echo f.class.toString()
          {code}
          But when sandboxed, it barfs with {{RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object}}.

          This is distinct to CPS-transformed code - if that's in a {{@NonCPS}} method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the {{~/foo/}} in sandboxed CPS code.

          EDIT: Amending to include the fact that {{staticMethod java.util.regex.Pattern compile java.lang.String}} is not whitelisted. That should be fixed too.
          Andrew Bayer made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Andrew Bayer made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Andrew Bayer made changes -
          Remote Link New: This issue links to "script-security PR #146 (Web Link)" [ 17509 ]
          Andrew Bayer made changes -
          Remote Link New: This issue links to "workflow-cps PR #169 (Web Link)" [ 17510 ]
          Andrew Bayer made changes -
          Component/s New: script-security-plugin [ 18520 ]
          Component/s Original: workflow-cps-plugin [ 21713 ]
          Andrew Bayer made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Review [ 10005 ] New: Resolved [ 5 ]

            abayer Andrew Bayer
            abayer Andrew Bayer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: