[JENKINS-49175] Job DSL Plugin violates whitelist

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: job-dsl-plugin
Labels:
- JEP-200

Similar Issues:
Powered by SuggestiMate

Show

After upgrading Jenkins to 2.103 I found the following message in the Jenkins logs:

Jan 25, 2018 8:37:28 PM WARNING jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
javaposse.jobdsl.dsl.GeneratedView in file:/var/lib/jenkins/plugins/job-dsl/WEB-INF/lib/job-dsl-core-1.66.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

According to the blog post I want you to know about this problem, even if I don't see anything wrong. DSL jobs run fine and without bugs.

is duplicated by

JENKINS-50733 SEVERE: Failed to save build record (job-dsl JEP-200)

Closed

is related to

JENKINS-47736 JEP-200: Switch Remoting/XStream blacklist to a whitelist

Resolved

links to

https://github.com/jenkinsci/job-dsl-plugin/pull/1092

Emil Wypych created issue - 2018-01-25 19:55

Emil Wypych made changes - 2018-01-25 19:56

Link

New: This issue is related to ~~JENKINS-47736~~ [ ~~JENKINS-47736~~ ]

Oleg Nenashev added a comment - 2018-01-26 07:44

Actually JobDSL is affected by the change, but it has been hotfixed on the core's side: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/resources/jenkins/security/whitelisted-classes.txt#L136 . I think the patch was not complete (CC jglick). I will create a patch and try to investigate the code to find other potential issues.

Oleg Nenashev added a comment - 2018-01-26 07:44 Actually JobDSL is affected by the change, but it has been hotfixed on the core's side: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/resources/jenkins/security/whitelisted-classes.txt#L136 . I think the patch was not complete (CC jglick ). I will create a patch and try to investigate the code to find other potential issues.

Oleg Nenashev made changes - 2018-01-26 07:44

Assignee

Original: Daniel Spilker [ daspilker ]

New: Oleg Nenashev [ oleg_nenashev ]

Oleg Nenashev made changes - 2018-01-26 07:44

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Emil Wypych added a comment - 2018-01-26 08:25

Hi, oleg_nenashev

thanks for your information. Please remember that jobs run properly and without visible problems. So the only one problem I can see is this message in the Jenkins logs.

And please notice, that link you provided has javaposse.jobdsl.dsl.GeneratedJob whitelisted, but I have javaposse.jobdsl.dsl.GeneratedView in my logs. Maybe that's the problem?

Emil Wypych added a comment - 2018-01-26 08:25 Hi, oleg_nenashev thanks for your information. Please remember that jobs run properly and without visible problems. So the only one problem I can see is this message in the Jenkins logs. And please notice, that link you provided has javaposse.jobdsl.dsl. GeneratedJob whitelisted, but I have javaposse.jobdsl.dsl. GeneratedView in my logs. Maybe that's the problem?

Oleg Nenashev added a comment - 2018-01-26 08:29

ewypych yes, that's what I meant. The current whitelist does not cover all classes.
Would be great if you provide a full stacktrace though

Oleg Nenashev added a comment - 2018-01-26 08:29 ewypych yes, that's what I meant. The current whitelist does not cover all classes. Would be great if you provide a full stacktrace though

Emil Wypych added a comment - 2018-01-26 08:39

oleg_nenashev here your are:

Jan 26, 2018 9:35:34 AM WARNING jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
javaposse.jobdsl.dsl.GeneratedView in file:/var/lib/jenkins/plugins/job-dsl/WEB-INF/lib/job-dsl-core-1.66.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

Jan 26, 2018 9:35:55 AM SEVERE hudson.model.Run execute
Failed to save build record
java.lang.UnsupportedOperationException: Refusing to marshal javaposse.jobdsl.dsl.GeneratedView for security reasons; see https://jenkins.io/redirect/class-filter/
	at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:530)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
	at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
	at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
Caused: java.lang.RuntimeException: Failed to serialize javaposse.jobdsl.plugin.actions.GeneratedObjectsRunAction#modifiedObjects for class javaposse.jobdsl.plugin.actions.GeneratedViewsBuildAction
	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
	at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
	at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
Caused: java.lang.RuntimeException: Failed to serialize hudson.model.Actionable#actions for class hudson.model.FreeStyleBuild
	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
	at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
	at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
	at hudson.XmlFile.write(XmlFile.java:194)
Caused: java.io.IOException
	at hudson.XmlFile.write(XmlFile.java:201)
	at hudson.model.Run.save(Run.java:1923)
	at hudson.model.Run.execute(Run.java:1784)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)

Emil Wypych added a comment - 2018-01-26 08:39 oleg_nenashev here your are: Jan 26, 2018 9:35:34 AM WARNING jenkins.security.ClassFilterImpl lambda$isBlacklisted$1 javaposse.jobdsl.dsl.GeneratedView in file:/var/lib/jenkins/plugins/job-dsl/WEB-INF/lib/job-dsl-core-1.66.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/ Jan 26, 2018 9:35:55 AM SEVERE hudson.model.Run execute Failed to save build record java.lang.UnsupportedOperationException: Refusing to marshal javaposse.jobdsl.dsl.GeneratedView for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:530) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize javaposse.jobdsl.plugin.actions.GeneratedObjectsRunAction#modifiedObjects for class javaposse.jobdsl.plugin.actions.GeneratedViewsBuildAction at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize hudson.model.Actionable#actions for class hudson.model.FreeStyleBuild at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:194) Caused: java.io.IOException at hudson.XmlFile.write(XmlFile.java:201) at hudson.model.Run.save(Run.java:1923) at hudson.model.Run.execute(Run.java:1784) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429)

Oleg Nenashev added a comment - 2018-01-26 09:56

https://github.com/jenkinsci/job-dsl-plugin/pull/1092 should fix that

Oleg Nenashev added a comment - 2018-01-26 09:56 https://github.com/jenkinsci/job-dsl-plugin/pull/1092 should fix that

Oleg Nenashev made changes - 2018-01-26 09:56

Remote Link

New: This issue links to "https://github.com/jenkinsci/job-dsl-plugin/pull/1092 (Web Link)" [ 19960 ]

Assignee:: Daniel Spilker

Reporter:: Emil Wypych

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2018-01-25 19:55

Updated:: 2018-04-11 21:28

Resolved:: 2018-01-26 19:46

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Oleg Nenashev added a comment - 2018-01-26 07:44

Expand comment: Oleg Nenashev added a comment - 2018-01-26 07:44

Collapse comment: Emil Wypych added a comment - 2018-01-26 08:25

Expand comment: Emil Wypych added a comment - 2018-01-26 08:25

Collapse comment: Oleg Nenashev added a comment - 2018-01-26 08:29

Expand comment: Oleg Nenashev added a comment - 2018-01-26 08:29

Collapse comment: Emil Wypych added a comment - 2018-01-26 08:39

Expand comment: Emil Wypych added a comment - 2018-01-26 08:39

Collapse comment: Oleg Nenashev added a comment - 2018-01-26 09:56

Expand comment: Oleg Nenashev added a comment - 2018-01-26 09:56

People

Dates