Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50616

JEP-200 Refusing to marshal org.jruby.RubyNil for security reasons

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      ci-skip setting on jobs can't be set.  Setting it, and hitting 'Save' or Apply causes a UnsupportedOperatonException with the following stack trace

      Stack trace

      java.lang.UnsupportedOperationException: Refusing to marshal org.jruby.RubyNil for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at org.jenkinsci.jruby.JRubyXStreamConverter.marshal(JRubyXStreamConverter.java:76) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at org.jenkinsci.jruby.JRubyXStreamConverter.marshal(JRubyXStreamConverter.java:76) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at org.jenkinsci.jruby.JavaProxyConverter.marshal(JavaProxyConverter.java:51) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at hudson.util.DescribableList$ConverterImpl.marshal(DescribableList.java:269) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize hudson.model.Project#buildWrappers for class hudson.model.FreeStyleProject at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) Caused: java.io.IOException at hudson.XmlFile.write(XmlFile.java:200) at hudson.model.AbstractItem.save(AbstractItem.java:483) at hudson.model.Job.save(Job.java:196) at hudson.model.AbstractProject.save(AbstractProject.java:289) at hudson.BulkChange.commit(BulkChange.java:98) at hudson.model.Job.doConfigSubmit(Job.java:1355) at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:772) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:237) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:214) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.plugins.audit_trail.AuditTrailFilter.doFilter(AuditTrailFilter.java:95) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:564) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128) at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          CI-Skip Uses RubyRuntime, which is known to be impacted by JEP-200. Before the release in 2.102 we have whitelisted classes on the core's side: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/resources/jenkins/security/whitelisted-classes.txt#L177-L189 . But apparently this whitelist is not enough.

          Ideally we need https://github.com/jenkinsci/ruby-runtime-plugin/pull/5 to be updated and released. The plugin has no maintainer, but I will check whether we can do that

          Show
          oleg_nenashev Oleg Nenashev added a comment - CI-Skip Uses RubyRuntime, which is known to be impacted by JEP-200. Before the release in 2.102 we have whitelisted classes on the core's side: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/resources/jenkins/security/whitelisted-classes.txt#L177-L189 . But apparently this whitelist is not enough. Ideally we need https://github.com/jenkinsci/ruby-runtime-plugin/pull/5 to be updated and released. The plugin has no maintainer, but I will check whether we can do that
          Show
          oleg_nenashev Oleg Nenashev added a comment - Joe Fowler would you be able to test a patch from https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fruby-runtime-plugin/detail/PR-6/5/artifacts ?
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Joe Fowler If you have not installed my patch yet, please don't. There is a mess with source code hosting we need to investigate. I will try to do it next week

          Show
          oleg_nenashev Oleg Nenashev added a comment - Joe Fowler If you have not installed my patch yet, please don't. There is a mess with source code hosting we need to investigate. I will try to do it next week
          Hide
          sj98ta Joe Fowler added a comment -

          Oleg Nenashev,  yes, we should be able to try a patch once you have one available.    Thanks!

          Show
          sj98ta Joe Fowler added a comment - Oleg Nenashev,  yes, we should be able to try a patch once you have one available.    Thanks!
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Summary of the review:

          Jesse Glick What would you say if we add this particular whitelist entry to the core? It should not make the things much worse since we whitelist other entries there.

          Show
          oleg_nenashev Oleg Nenashev added a comment - Summary of the review: https://github.com/jenkinsci/ruby-runtime-plugin is an obsolete repository. At some point the code has been moved to https://github.com/jenkinsci/jenkins.rb/blob/master/java-runtime , and currently there is a split-brain between repositories Although we have proposed fixes, both me and Jesse Glick failed to quickly setup environment for jenkins.rb fix and release We have contacted the maintainer of jenkins.rb to get his help with these fixes Jesse Glick What would you say if we add this particular whitelist entry to the core? It should not make the things much worse since we whitelist other entries there.
          Hide
          jglick Jesse Glick added a comment -

          Oleg Nenashev yes we should add RubyNil to the existing core whitelist—pending merge, release, and general adoption of the plugin fix.

          Show
          jglick Jesse Glick added a comment - Oleg Nenashev yes we should add RubyNil to the existing core whitelist—pending merge, release, and general adoption of the plugin fix.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          OK, will create a PR in few minutes

          Show
          oleg_nenashev Oleg Nenashev added a comment - OK, will create a PR in few minutes
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Created https://github.com/jenkinsci/jenkins/pull/3404. I do not believe it can be backported to 2.107.x, but CC Oliver Gondža just in case. It may need backporting to the next baseline anyway

          Show
          oleg_nenashev Oleg Nenashev added a comment - Created https://github.com/jenkinsci/jenkins/pull/3404 . I do not believe it can be backported to 2.107.x, but CC Oliver Gondža just in case. It may need backporting to the next baseline anyway
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/main/resources/jenkins/security/whitelisted-classes.txt
          http://jenkins-ci.org/commit/jenkins/fc6137873956ef1645dccd1ff3688dbf42dff7d5
          Log:
          JENKINS-50616 - Add org.jruby.RubyNil to the whitelist (#3404)

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/resources/jenkins/security/whitelisted-classes.txt http://jenkins-ci.org/commit/jenkins/fc6137873956ef1645dccd1ff3688dbf42dff7d5 Log: JENKINS-50616 - Add org.jruby.RubyNil to the whitelist (#3404) JENKINS-50616 - Add org.jruby.RubyNil to the whitelist JENKINS-50616 - Fix the typo in the comment
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/main/resources/jenkins/security/whitelisted-classes.txt
          http://jenkins-ci.org/commit/jenkins/a16779e4e24bcc884427325a4692c60484a87389
          Log:
          JENKINS-50616 - Add org.jruby.RubyNil to the whitelist (#3404)

          (cherry picked from commit fc6137873956ef1645dccd1ff3688dbf42dff7d5)

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/resources/jenkins/security/whitelisted-classes.txt http://jenkins-ci.org/commit/jenkins/a16779e4e24bcc884427325a4692c60484a87389 Log: JENKINS-50616 - Add org.jruby.RubyNil to the whitelist (#3404) JENKINS-50616 - Add org.jruby.RubyNil to the whitelist JENKINS-50616 - Fix the typo in the comment (cherry picked from commit fc6137873956ef1645dccd1ff3688dbf42dff7d5)
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          I would say that this issue is fixed. We worked it around by applying patches in the core. Ruby Runtime fixes are up to plugin maintainers, because we cannot really do anything with that without a huge rework

          Show
          oleg_nenashev Oleg Nenashev added a comment - I would say that this issue is fixed. We worked it around by applying patches in the core. Ruby Runtime fixes are up to plugin maintainers, because we cannot really do anything with that without a huge rework
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          JENKINS-51074 has been created as a follow-up

          Show
          oleg_nenashev Oleg Nenashev added a comment - JENKINS-51074 has been created as a follow-up

            People

            Assignee:
            oleg_nenashev Oleg Nenashev
            Reporter:
            sj98ta Joe Fowler
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: