Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49597

Scripts not permitted to use staticMethod <Serializable object>

      The following code works well on Pipeline: Supporting APIs v 2.17 but stoped working after upgrading to 2.18:

      class Emails implements Serializable {
      public final static List<String> TEAM_FOO = [NO_REPLY, NO_REPLY2]
      public final static String NO_REPLY = "no-reply@example.com"
      public final static String NO_REPLY2 = "no-reply@example.com"
      }
      timestamps {{{ node('master') {
       def emails = Emails.TEAM_FOO}
       }
      }

      Exception is:

      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticField Emails NO_REPLY
      at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticField(StaticWhitelist.java:199)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$14.reject(SandboxInterceptor.java:372)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381)
      at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284)
      at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288)
      at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
      at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
      at Emails.<clinit>(WorkflowScript:5)
       

      It can be partially fixed by whitelisting following signatures: 

      public final static String NO_REPLY

      public final static String NO_REPLY2 

      etc...

       

      The problem is there are LOTS of such constants in real code, that makes difficult to whitelist em all.

          [JENKINS-49597] Scripts not permitted to use staticMethod <Serializable object>

          Andrew Bayer added a comment -

          Looks like this would probably be related to SECURITY-699 - jglick, any thoughts?

          Andrew Bayer added a comment - Looks like this would probably be related to SECURITY-699 - jglick , any thoughts?

          Tobias Richter added a comment - - edited

          We are also experiencing this issue.

          Steps to reproduce:

          1. Create a folder and add a folder library definition for https://github.com/wcm-io-devops/jenkins-pipeline-library with version master and name "pipelineLibrary"
          2. Create a new Pipeline Job inside this folder with
            1. src: https://github.com/wcm-io-devops/jenkins-pipeline-library.git
            2. Script Path: jenkinsfiles/integration-tests.groovy
          3. Run the Job

          Output:

          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel TRACE
           at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticField(StaticWhitelist.java:199)
           at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$14.reject(SandboxInterceptor.java:372)
           at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381)
           at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284)
           at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288)
           at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
           at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
           at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
           at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
           at io.wcm.devops.jenkins.pipeline.utils.logging.Logger.<clinit>(Logger.groovy:47)
          
          

          Logger Class: https://github.com/wcm-io-devops/jenkins-pipeline-library/blob/master/src/io/wcm/devops/jenkins/pipeline/utils/logging/LogLevel.groovy

          From my point of view it should be possible to access static fields of Pipeline Library Classes.

          Tobias Richter added a comment - - edited We are also experiencing this issue. Steps to reproduce: Create a folder and add a folder library definition for  https://github.com/wcm-io-devops/jenkins-pipeline-library  with version master and name "pipelineLibrary" Create a new Pipeline Job inside this folder with src:  https://github.com/wcm-io-devops/jenkins-pipeline-library.git Script Path: jenkinsfiles/integration-tests.groovy Run the Job Output: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel TRACE at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticField(StaticWhitelist.java:199) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$14.reject(SandboxInterceptor.java:372) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381) at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284) at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288) at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230) at io.wcm.devops.jenkins.pipeline.utils.logging.Logger.<clinit>(Logger.groovy:47) Logger Class: https://github.com/wcm-io-devops/jenkins-pipeline-library/blob/master/src/io/wcm/devops/jenkins/pipeline/utils/logging/LogLevel.groovy From my point of view it should be possible to access static fields of Pipeline Library Classes.

          Sami Lempinen added a comment -

          We have been bitten by this also, as a result of an upgrade yesterday.

          Our Jenkinsfiles and libraries utilise the static field access extensively. Our only option seems to be to either downgrade or disable script security altogether.

          Sami Lempinen added a comment - We have been bitten by this also, as a result of an upgrade yesterday. Our Jenkinsfiles and libraries utilise the static field access extensively. Our only option seems to be to either downgrade or disable script security altogether.

            Unassigned Unassigned
            berestoff veniamin b
            Votes:
            6 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: