Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49788

ConcurrentLinkedQueue is missing from whitelisted-classes.txt

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Jenkins v 2.109

      java version "1.8.0_161"
      Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
      Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)

      We make use of the ConcurrentLinkedQueue class, and which is not white-listed like other concurrent collections are. The unmarshalling and marshalling of the field fails with the following error:

      Feb 28, 2018 9:08:22 AM WARNING jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
      java.util.concurrent.ConcurrentLinkedQueue in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

      java.lang.UnsupportedOperationException: Refusing to marshal java.util.concurrent.ConcurrentLinkedQueue for security reasons; see https://jenkins.io/redirect/class-filter/
          at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
          at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
          at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
          at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
          at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
          at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)

          [JENKINS-49788] ConcurrentLinkedQueue is missing from whitelisted-classes.txt

          Code changed in jenkins
          User: Carl-Frederik Hallberg
          Path:
          core/src/main/resources/jenkins/security/whitelisted-classes.txt
          http://jenkins-ci.org/commit/jenkins/e5f61e29e260688d7d73339202c22ca199535018
          Log:
          JENKINS-49788 Added ConcurrentLinkedQueue to whitelisted classes. (#3315)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Carl-Frederik Hallberg Path: core/src/main/resources/jenkins/security/whitelisted-classes.txt http://jenkins-ci.org/commit/jenkins/e5f61e29e260688d7d73339202c22ca199535018 Log: JENKINS-49788 Added ConcurrentLinkedQueue to whitelisted classes. (#3315)

          Oleg Nenashev added a comment -

          Added lts-candidate so that we consider that for 2.107.x.

          FTR I do not see affected plugins in Jenkins org: https://github.com/search?p=1&q=org%3Ajenkinsci+ConcurrentLinkedQueue&type=Code . But it is still reasonable since other collections are whitelisted, and the issue may potentially impact other plugin not hosted in the Jenkins UC.

          Oleg Nenashev added a comment - Added lts-candidate so that we consider that for 2.107.x. FTR I do not see affected plugins in Jenkins org: https://github.com/search?p=1&q=org%3Ajenkinsci+ConcurrentLinkedQueue&type=Code . But it is still reasonable since other collections are whitelisted, and the issue may potentially impact other plugin not hosted in the Jenkins UC.

          Oleg Nenashev added a comment -

          The fix has been integrated towards 2.110. It has not been included to 2.107.1 release candidate, but it will likely land in 2.107.2

          Oleg Nenashev added a comment - The fix has been integrated towards 2.110. It has not been included to 2.107.1 release candidate, but it will likely land in 2.107.2

          Great, thanks =)

          Carl-Frederik Hallberg added a comment - Great, thanks =)

          Code changed in jenkins
          User: Carl-Frederik Hallberg
          Path:
          core/src/main/resources/jenkins/security/whitelisted-classes.txt
          http://jenkins-ci.org/commit/jenkins/e43f90b256914fb091a7718d34985ef543833768
          Log:
          JENKINS-49788 Added ConcurrentLinkedQueue to whitelisted classes. (#3315)

          (cherry picked from commit e5f61e29e260688d7d73339202c22ca199535018)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Carl-Frederik Hallberg Path: core/src/main/resources/jenkins/security/whitelisted-classes.txt http://jenkins-ci.org/commit/jenkins/e43f90b256914fb091a7718d34985ef543833768 Log: JENKINS-49788 Added ConcurrentLinkedQueue to whitelisted classes. (#3315) (cherry picked from commit e5f61e29e260688d7d73339202c22ca199535018)

            oleg_nenashev Oleg Nenashev
            tfiskgul Carl-Frederik Hallberg
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: