Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46882

Scripts not permitted to use new java.lang.Exception java.lang.String

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • script-security-plugin
    • None
    • Script Security Plugin 1.33

      Seeing the following when attempting to throw an exception in the Jenkins pipeline

      No pending script approval either.

      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.lang.Exception java.lang.String
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:184)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:138)
      	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onSuperConstructor(GroovyInterceptor.java:56)
      	at org.kohsuke.groovy.sandbox.impl.Checker$5.call(Checker.java:232)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedSuperConstructor(Checker.java:236)
      	at org.kohsuke.groovy.sandbox.impl.Checker$checkedSuperConstructor$6.callStatic(Unknown Source)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:214)
      	at NothingToDoException.<init>(WorkflowScript:3)
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
      	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
      	at java.lang.reflect.Constructor.newInstance(Unknown Source)
      	at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:83)
      	at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:60)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:235)
      	at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:198)
      	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onNewInstance(GroovyInterceptor.java:42)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:136)
      	at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:195)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:200)
      	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.constructorCall(SandboxInvoker.java:21)
      	at WorkflowScript.run(WorkflowScript:9)
      	at ___cps.transform___(Native Method)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:96)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
      	at sun.reflect.GeneratedMethodAccessor257.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      	at java.lang.reflect.Method.invoke(Unknown Source)
      	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
      	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
      	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:173)
      	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:162)
      	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122)
      	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261)
      	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:162)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32)
      	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:330)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:82)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:242)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:230)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
      	at java.util.concurrent.FutureTask.run(Unknown Source)
      	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
      	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
      	at java.util.concurrent.FutureTask.run(Unknown Source)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      	at java.lang.Thread.run(Unknown Source)
      Finished: FAILURE
      

          [JENKINS-46882] Scripts not permitted to use new java.lang.Exception java.lang.String

          Nisha Skinner added a comment -

          Reduced the severity as we managed to work around it. 
          When the pipeline script that contains the exception is loaded from SCM, the RejectedAccessException doesn't seem to add it to the script approval page.

          When I write a dummy script in the Jenkins configuration UI that contains the exception, the RejectedAccessException adds it to the script approval page.

          Nisha Skinner added a comment - Reduced the severity as we managed to work around it.  When the pipeline script that contains the exception is loaded from SCM, the RejectedAccessException doesn't seem to add it to the script approval page. When I write a dummy script in the Jenkins configuration UI that contains the exception, the RejectedAccessException adds it to the script approval page.

          Andrew Bayer added a comment -

          So you were literally running new Exception("something or other")? Whitelisting that seems reasonable.

          Andrew Bayer added a comment - So you were literally running new Exception("something or other") ? Whitelisting that seems reasonable.

          Nisha Skinner added a comment -

          our use case is throw new CustomException(".."). Otherwise we would have just used the available error() command.

          But yeah, it happens even with throw new Exception("..")

          Nisha Skinner added a comment - our use case is throw new CustomException(".."). Otherwise we would have just used the available error() command. But yeah, it happens even with throw new Exception("..")

          Andrew Bayer added a comment -

          Ah, gotcha - I see the references to super constructors in the stacktrace now. I'll see what I can figure out on this, but no promises on timeframe.

          Andrew Bayer added a comment - Ah, gotcha - I see the references to super constructors in the stacktrace now. I'll see what I can figure out on this, but no promises on timeframe.

          Code changed in jenkins
          User: James Hogarth
          Path:
          src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
          http://jenkins-ci.org/commit/script-security-plugin/b4584131f5580fd7bc8dfe63e11fea8a9ea6cbff
          Log:
          JENKINS-46882 allow new Exceptions to be thrown

          new Execption("foo") is currently not permitted, but is very useful to
          do and is a standard/safe thing in a Jenkinsfile

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: James Hogarth Path: src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist http://jenkins-ci.org/commit/script-security-plugin/b4584131f5580fd7bc8dfe63e11fea8a9ea6cbff Log: JENKINS-46882 allow new Exceptions to be thrown new Execption("foo") is currently not permitted, but is very useful to do and is a standard/safe thing in a Jenkinsfile

          Code changed in jenkins
          User: Andrew Bayer
          Path:
          src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
          http://jenkins-ci.org/commit/script-security-plugin/d0ef83d271d3c93176562146345dc042d4eefcbb
          Log:
          Merge pull request #198 from hogarthj/JENKINS-46882

          JENKINS-46882 allow new Exceptions to be thrown

          Compare: https://github.com/jenkinsci/script-security-plugin/compare/9d642ae73c88...d0ef83d271d3

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist http://jenkins-ci.org/commit/script-security-plugin/d0ef83d271d3c93176562146345dc042d4eefcbb Log: Merge pull request #198 from hogarthj/ JENKINS-46882 JENKINS-46882 allow new Exceptions to be thrown Compare: https://github.com/jenkinsci/script-security-plugin/compare/9d642ae73c88...d0ef83d271d3

          Andrew Bayer added a comment -

          Merged, will be in script-security 1.44.

          Andrew Bayer added a comment - Merged, will be in script-security 1.44.

          Richard Lee added a comment -

          Using script-security 1.44, but getting

          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.lang.IllegalArgumentException java.lang.String

          Shouldn't that be allowed?

          Richard Lee added a comment - Using script-security 1.44, but getting org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.lang.IllegalArgumentException java.lang.String Shouldn't that be allowed?

          Antoine Tran added a comment -

          Using script-security 1.53, this is not reproducible anymore. I can throw new Exception(String) without preapproval. Should be closed.

          Antoine Tran added a comment - Using script-security 1.53, this is not reproducible anymore. I can throw new Exception(String) without preapproval. Should be closed.

            abayer Andrew Bayer
            nskinner Nisha Skinner
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: