Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47159

Check for varargs in script-security plugin fails

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • script-security-plugin
    • None
    • Jenkins 2.46, script-security-plugin 1.35-SNAPSHOT

      This is my script (not a pipeline  - just system groovy script):

      params = [new StringParameterValue ('GIT_PUSH_USER','builder'), new StringParameterValue ("SHA1",'9df4d51934c3f39663c5dbc1e08c09775b45c61f'),
      , new BooleanParameterValue('TEST_ONLY_CHANGED',false)]

      parmAction = new ParametersAction(params)

       

      Causes failure with:

      org.codehaus.groovy.runtime.typehandling.GroovyCastException
      : Cannot cast object '[(StringParameterValue) GIT_PUSH_USER='builder', (StringParameterValue) SHA1='9df4d51934c3f39663c5dbc1e08c09775b45c61f' (BooleanParameterValue) TEST_ONLY_CHANGED='false']' with class 'java.util.ArrayList' to class 'hudson.model.ParameterValue' due to: groovy.lang.GroovyRuntimeException: Could not find matching constructor for: hudson.model.ParameterValue(hudson.model.StringParameterValue, hudson.model.StringParameterValue,hudson.model.BooleanParameterValue)
      at
      org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnSAM(DefaultTypeTransformation.java:403)
      at
      org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnNumber(DefaultTypeTransformation.java:319)
      at
      org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToType(DefaultTypeTransformation.java:232)
      at
      org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToVargsArray(DefaultTypeTransformation.java:881)
      at
      org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:103)
      at
      org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:52)
      at
      org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.constructor(GroovyCallSiteSelector.java:164)
      at
      org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:142)
      at
      org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:195)
      at
      org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:200)
      at org.kohsuke.groovy.sandbox.impl.Checker$checkedConstructor.callStatic(Unknown Source)
      at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:214)
      at Script1.run(Script1.groovy:13)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:165)
      at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
      at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
      at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779)
      at hudson.model.Build$BuildExecution.build(Build.java:205)
      at hudson.model.Build$BuildExecution.doRun(Build.java:162)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
      at hudson.model.Run.execute(Run.java:1741)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:98)
      at hudson.model.Executor.run(Executor.java:410)

          [JENKINS-47159] Check for varargs in script-security plugin fails

          Andrew Bayer added a comment -

          Andrew Bayer added a comment - PR up at  https://github.com/jenkinsci/script-security-plugin/pull/156

          Anton Weiss added a comment -

          Thanks a lot!

          Any expectations as to when this gets released?

          Anton Weiss added a comment - Thanks a lot! Any expectations as to when this gets released?

          Andrew Bayer added a comment -

          Dunno yet? I'll try to go through other PRs and open issues next week and see if a release is merited.

          Andrew Bayer added a comment - Dunno yet? I'll try to go through other PRs and open issues next week and see if a release is merited.

          Anton Weiss added a comment -

          Looking forward to that! Thanks again for the prompt fix.

          Anton Weiss added a comment - Looking forward to that! Thanks again for the prompt fix.

          Anton Weiss added a comment -

          abayer, I think I found another issue. :/ Checking now.

          Anton Weiss added a comment - abayer , I think I found another issue. :/ Checking now.

          Anton Weiss added a comment -

          Yep,

          there's an issue.

          In the following script:

          def t = Hudson.instance.getJob("test")
          params = [new BooleanParameterValue ('FLAG',true)]
          parmAction = new ParametersAction(params)
          future = t.scheduleBuild2(0, new Cause.UpstreamCause(build), parmAction)
          

          I'm getting:

          org.codehaus.groovy.runtime.typehandling.GroovyCastException
          : Cannot cast object 'job/check/59[hudson.model.Cause$UserIdCause@1f]' with class 'hudson.model.Cause$UpstreamCause' to class 'hudson.model.Action'
          at
          org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnSAM(DefaultTypeTransformation.java:405)
          at
          org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnNumber(DefaultTypeTransformation.java:319)
          at
          org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToType(DefaultTypeTransformation.java:232)
          at
          org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToVargsArray(DefaultTypeTransformation.java:881)
          at
          org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:103)
          at
          org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:51)
          at
          org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.findMatchingMethod(GroovyCallSiteSelector.java:195)
          at
          org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.method(GroovyCallSiteSelector.java:146)
          at
          org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:87)
          at
          org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:153)
          at
          org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:157)
          at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
          at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
          at Script1.run(Script1.groovy:14)
           

          Because we should be passing in the varargs position (fixedLen) and not the arrayLength

           

           

          Anton Weiss added a comment - Yep, there's an issue. In the following script: def t = Hudson.instance.getJob( "test" ) params = [ new BooleanParameterValue ( 'FLAG' , true )] parmAction = new ParametersAction(params) future = t.scheduleBuild2(0, new Cause.UpstreamCause(build), parmAction) I'm getting: org.codehaus.groovy.runtime.typehandling.GroovyCastException : Cannot cast object 'job/check/59 [hudson.model.Cause$UserIdCause@1f] ' with class 'hudson.model.Cause$UpstreamCause' to class 'hudson.model.Action' at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnSAM(DefaultTypeTransformation.java:405) at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnNumber(DefaultTypeTransformation.java:319) at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToType(DefaultTypeTransformation.java:232) at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToVargsArray(DefaultTypeTransformation.java:881) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:103) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:51) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.findMatchingMethod(GroovyCallSiteSelector.java:195) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.method(GroovyCallSiteSelector.java:146) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:87) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:153) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:157) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at Script1.run(Script1.groovy:14)   Because we should be passing in the varargs position (fixedLen) and not the arrayLength    

          Jesse Glick added a comment -

          Have you checked the open issues in this component for duplicates?

          Jesse Glick added a comment - Have you checked the open issues in this component for duplicates?

          Anton Weiss added a comment -

          Yes, I did. 

          this is happening in an unreleased version and is caused by a fix introduced for JENKINS-44557

          So not really a duplicate.

          Anton Weiss added a comment - Yes, I did.  this is happening in an unreleased version and is caused by a fix introduced for  JENKINS-44557 So not really a duplicate.

          Tomáš Rohrbacher added a comment - - edited

          I can confirm that this bug is in script-security-plugin v.1.26 as well as 1.29.1 running on Jenkins v. 1.651.3.

           

          Code:

          def PARAM = "param"
          build.addAction(new ParametersAction(
           new StringParameterValue('PARAM', PARAM)
          ));
          

          as well as:

          build.addAction(new ParametersAction(
              new StringParameterValue("param1", param1),
              new StringParameterValue("param2", param2),
          ));

           

          yields following error:
          ERROR: Build step failed with exception
          java.lang.IllegalArgumentException
          : array element type mismatch
          at java.lang.reflect.Array.set(Native Method)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:102)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:49)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.constructor(GroovyCallSiteSelector.java:162)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:124)
          at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:191)
          at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:188)
          at org.kohsuke.groovy.sandbox.impl.Checker$checkedConstructor.callStatic(Unknown Source)
          at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:169)
          at Script1.run(Script1.groovy:48)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:163)
          at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
          at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
          at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
          at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:782)
          at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:945)
          at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:683)
          at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
          at hudson.model.Run.execute(Run.java:1738)
          at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543)
          at hudson.model.ResourceController.execute(ResourceController.java:98)
          at hudson.model.Executor.run(Executor.java:410)
          Build step 'Execute system Groovy script' marked build as failure
           

          Workaround

          I am attempting to overcome this issue by calling the only constructor that is not overloaded – the two parameter ParametersAction(List<ParameterValue> parameters, Collection<String> additionalSafeParameters) constructor.

          ParameterValue[] params = [
          		new StringParameterValue("param1", param1),
          		new StringParameterValue("param2", param2),
          ]
          String [] safeParams = []
          // XXX because of JENKINS-47159
          build.addAction (new ParametersAction(params, safeParams));
          

           

          I think that this is a severe issue for all of the Jenkins users that use Groovy scripting.
          Hell, this usage is even written in the first example on the official jenkins-groovy-plugin page.

          Tomáš Rohrbacher added a comment - - edited I can confirm that this bug is in script-security-plugin v.1.26 as well as 1.29.1 running on Jenkins v. 1.651.3.   Code: def PARAM = "param" build.addAction( new ParametersAction( new StringParameterValue( 'PARAM' , PARAM) )); as well as: build.addAction( new ParametersAction(     new StringParameterValue( "param1" , param1),     new StringParameterValue( "param2" , param2), ));   yields following error: ERROR: Build step failed with exception java.lang.IllegalArgumentException : array element type mismatch at java.lang.reflect.Array.set(Native Method) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:102) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:49) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.constructor(GroovyCallSiteSelector.java:162) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:124) at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:191) at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:188) at org.kohsuke.groovy.sandbox.impl.Checker$checkedConstructor.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:169) at Script1.run(Script1.groovy:48) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:163) at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95) at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:782) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:945) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:683) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534) at hudson.model.Run.execute(Run.java:1738) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410) Build step 'Execute system Groovy script' marked build as failure   Workaround I am attempting to overcome this issue by calling the only constructor that is not overloaded – the two parameter ParametersAction( List<ParameterValue> parameters, Collection<String> additionalSafeParameters ) constructor. ParameterValue[] params = [ new StringParameterValue( "param1" , param1), new StringParameterValue( "param2" , param2), ] String [] safeParams = [] // XXX because of JENKINS-47159 build.addAction ( new ParametersAction(params, safeParams));   I think that this is a severe issue for all of the Jenkins users that use Groovy scripting. Hell, this usage is even written in the first example on the official jenkins-groovy-plugin page .

          Code changed in jenkins
          User: Andrew Bayer
          Path:
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java
          src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelectorTest.java
          http://jenkins-ci.org/commit/script-security-plugin/fdf28858e4309f4e094b30bde47c10e9b5889f6e
          Log:
          [FIXED JENKINS-47159] Set proper vargs location

          We shouldn't be starting looking for vargs until we've got to the
          index of the last parameter type and that last parameter type is an
          array. So...tada.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelectorTest.java http://jenkins-ci.org/commit/script-security-plugin/fdf28858e4309f4e094b30bde47c10e9b5889f6e Log: [FIXED JENKINS-47159] Set proper vargs location We shouldn't be starting looking for vargs until we've got to the index of the last parameter type and that last parameter type is an array. So...tada.

            abayer Andrew Bayer
            antweiss Anton Weiss
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: