Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50463

JEP-200: UnsupportedOperationException: Refusing to marshal net.sf.json.JSONObject for security reasons

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • consul-plugin
    • Jenkins 2.107+

      Persisting the global consul plugin configuration to disk isn't working.

      Looks to be broken by[ https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc|JEP-200: Switch Remoting/XStream blacklist to a whitelist].

      Jenkins server log:

      WARNING Failed to save /var/jenkins_home/com.inneractive.jenkins.plugins.consul.configurations.ConsulGlobalConfigurations.xml
      java.io.IOException: java.lang.RuntimeException: Failed to serialize com.inneractive.jenkins.plugins.consul.configurations.ConsulGlobalConfigurations$DescriptorImpl#configurationsList for class com.inneractive.jenkins.plugins.consul.configurations.ConsulGlobalConfigurations$DescriptorImpl
      ...
      Caused by: java.lang.UnsupportedOperationException: Refusing to marshal net.sf.json.JSONObject for security reasons; see https://jenkins.io/redirect/class-filter/
      at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
      at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
      at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
      at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
      ... 107 more

          [JENKINS-50463] JEP-200: UnsupportedOperationException: Refusing to marshal net.sf.json.JSONObject for security reasons

          Fred Vogt added a comment -

          liozn in my case this isn't an adaption blocker for us.

          We configure plugin global config at Jenkins startup using groovy hook scripts.

          Fred Vogt added a comment - liozn in my case this isn't an adaption blocker for us. We configure plugin global config at Jenkins startup using groovy hook scripts.

          Oleg Nenashev added a comment -

          So it fails here: https://github.com/jenkinsci/consul-plugin/blob/b2e9843866b79e76d5ab4a16701384d141ea5452/src/main/java/com/inneractive/jenkins/plugins/consul/configurations/ConsulGlobalConfigurations.java#L22
          I confirm the issue, and it will require a complicated fix in order to have a data migration from previous instances (Jenkins 2.102+ will just refuse to load the config since JSONObject is blacklisted). OTOH a partial fix like JENKINS-50303 could be applied (data migration happens only for pre-JEP-200 instances)

          The plugin has less than 100 installations, and I doubt JEP-200 maintainers will have capacity to work on it soon. A fix similar to https://github.com/jenkinsci/mesos-plugin/commit/f305f0a3b9b401ab4ed2b44a798757668a1e41a8 can be implemented, in the worst case JSON can be just stored as string.

          Oleg Nenashev added a comment - So it fails here: https://github.com/jenkinsci/consul-plugin/blob/b2e9843866b79e76d5ab4a16701384d141ea5452/src/main/java/com/inneractive/jenkins/plugins/consul/configurations/ConsulGlobalConfigurations.java#L22 I confirm the issue, and it will require a complicated fix in order to have a data migration from previous instances (Jenkins 2.102+ will just refuse to load the config since JSONObject is blacklisted). OTOH a partial fix like JENKINS-50303 could be applied (data migration happens only for pre-JEP-200 instances) The plugin has less than 100 installations, and I doubt JEP-200 maintainers will have capacity to work on it soon. A fix similar to https://github.com/jenkinsci/mesos-plugin/commit/f305f0a3b9b401ab4ed2b44a798757668a1e41a8 can be implemented, in the worst case JSON can be just stored as string.

            liozn lioz nudel
            entelo_ops Fred Vogt
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: