Details
-
Bug
-
Status: Resolved (View Workflow)
-
Critical
-
Resolution: Fixed
-
Jenkins 2.102
Pipeline: 2.5
Pipeline: AWS Steps 1.20
Plain Credentials Plugin 1.4
Credentials Plugin 2.1.16
Credentials Binding Plugin 1.14
Ubuntu 14.04.5 LTS
OpenJDK 1.8.0_141
Description
Creating my first pipeline build, trying to upload output to S3. Getting a SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator
Cause in my configuration:
withAWS(credentials:'aws-softwareops') {
s3Upload acl: 'Private', bucket: 'my-bucket', file: 'my-file.zip', path: 'master'
}
Remove this and the build works.
Comment out s3Upload and the build works - proving the cause is definitely s3Upload, not withAWS.
Change the credentials key ("aws-softwareops" above) to something different, and the build fails again, proving the credentials are being picked up from Jenkins correctly.
This is in the logs:
Jan 18, 2018 3:06:58 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
WARNING: java.lang.String$CaseInsensitiveComparator in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/
This doesn't work:
-Dhudson.remoting.ClassFilter=java.lang.String$CaseInsensitiveComparator
(there is no mention of ClassFilter in the Jenkins log at startup - should there be?)
This is a blocking issue for me.
Stack trace:
java.lang.SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator at hudson.remoting.ClassFilter.check(ClassFilter.java:75) at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1826) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2000) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245) at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:552) at java.util.TreeMap.readObject(TreeMap.java:2449) at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2136) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2169) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) at hudson.remoting.UserRequest.deserialize(UserRequest.java:277) at hudson.remoting.UserResponse.retrieve(UserRequest.java:310) at hudson.remoting.Channel.call(Channel.java:909) at hudson.FilePath.act(FilePath.java:998) at hudson.FilePath.act(FilePath.java:987) at de.taimos.pipeline.aws.S3UploadStep$Execution$1.run(S3UploadStep.java:259)
Attachments
Issue Links
- is related to
-
JENKINS-49027 Improve diagnostics of rejected objects in Remoting
-
- Resolved
-
- relates to
-
JENKINS-47736
JEP-200: Switch Remoting/XStream blacklist to a whitelist
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- links to
Activity
Code changed in jenkins
User: Jesse Glick
Path:
Jenkinsfile
README.md
pom.xml
src/main/java/de/taimos/pipeline/aws/S3DownloadStep.java
src/main/java/de/taimos/pipeline/aws/S3UploadStep.java
src/main/resources/META-INF/hudson.remoting.ClassFilter
src/test/java/de/taimos/pipeline/aws/S3UploadStepIntegrationTest.java
http://jenkins-ci.org/commit/pipeline-aws-plugin/fbffe2bc03384857b24262b1630b2fa2f1799b2a
Log:
JENKINS-49025 Adding a necessary whitelist entry.
Code changed in jenkins
User: Thorsten Hoeger
Path:
Jenkinsfile
README.md
pom.xml
src/main/java/de/taimos/pipeline/aws/S3DownloadStep.java
src/main/java/de/taimos/pipeline/aws/S3UploadStep.java
src/main/resources/META-INF/hudson.remoting.ClassFilter
src/test/java/de/taimos/pipeline/aws/S3UploadStepIntegrationTest.java
http://jenkins-ci.org/commit/pipeline-aws-plugin/e36797dae5a3f5e09faf14ee5722bad2aab8b400
Log:
Merge pull request #37 from jglick/JENKINS-49025
JENKINS-49025 Adding a necessary whitelist entry
Compare: https://github.com/jenkinsci/pipeline-aws-plugin/compare/0ed1e9b04ff9...e36797dae5a3
Code changed in jenkins
User: Jesse Glick
Path:
src/main/java/org/jenkinsci/plugins/workflow/actions/ErrorAction.java
src/test/java/org/jenkinsci/plugins/workflow/actions/ErrorActionTest.java
http://jenkins-ci.org/commit/workflow-api-plugin/a48460ebdf7d03bedd82bb9e3e9de41481d58a4a
Log:
JENKINS-49025 Extending JENKINS-34488 fix yet again; JENKINS-39346 only considered causes, but other Throwable fields could also be unserializable.
Code changed in jenkins
User: Andrew Bayer
Path:
src/main/java/org/jenkinsci/plugins/workflow/actions/ErrorAction.java
src/test/java/org/jenkinsci/plugins/workflow/actions/ErrorActionTest.java
http://jenkins-ci.org/commit/workflow-api-plugin/43fc2f234bdddbdbdbf72c1844cc5750c88618c0
Log:
Merge pull request #64 from jglick/nested-error-fields-JENKINS-49025
JENKINS-49025 Extending JENKINS-34488 fix yet again
Compare: https://github.com/jenkinsci/workflow-api-plugin/compare/1f5461aa99df...43fc2f234bdd
Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/resources/jenkins/security/whitelisted-classes.txt
http://jenkins-ci.org/commit/jenkins/2696e9c865c58779c5115ff3fb8bb527cb788678
Log:
Merge pull request #3245 from jglick/
JENKINS-49025JENKINS-49025Add java.lang.String$CaseInsensitiveComparatorCompare: https://github.com/jenkinsci/jenkins/compare/4f4af4e6ab8c...2696e9c865c5