Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50712

branchSources in MultibranchWorkflowJob and PipelineJob asking for vulnerable signature approvals when running in sandbox

      Hi team
      I have 2 examples where I have parametrized build which supposed to create a pipelines. But when running in sandbox it failing and asking for approvals of :
      method groovy.lang.GroovyObject getProperty java.lang.String
      method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
      which are highlighted red as dangerous by jenkins
      here are examples

      multibranchPipelineJob("${JENKINS_PROJECT_NAME}/CI Build") {
          branchSources {
              github {
                  scanCredentialsId("${GIT_CREDENTIALS_ID}")
                  repoOwner("${GITHUB_REPO_OWNER}")
                  repository("${GITHUB_REPO_NAME}")
              }
          }
      }
      
      ERROR: Scripts not permitted to use method groovy.lang.GroovyObject getProperty java.lang.String (javaposse.jobdsl.dsl.helpers.workflow.GitHubBranchSourceContext.GIT_CREDENTIALS_ID)
      

      I think problem here is usage of DELEGATE_FIRST mode without whitelisting (if it even possible to whitelist)

      second example

      pipelineJob("${rootFolderPath}/SomeName") {
      
          
          definition {
      
              cpsScm {
                  scm {
                      git {
                          remote {
                              url(jenkinsfilesRepo)
                              credentials('github-access')
                          }
                          branches('master')
                          scriptPath("${microservicesScriptsPath}/somepath/Jenkinsfile")
                          lightweight(false)
                          extensions {
                               relativeTargetDirectory("DSL")
                          }
                          configure { node ->
                              node / extensions / 'hudson.plugins.git.extensions.impl.PathRestriction' {
                                  excludedRegions "${rootScriptPath}"
                              }
                          }
                      }
                  }
              }
          }
      }
      
      ERROR: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (javaposse.jobdsl.dsl.helpers.scm.GitContext scriptPath org.codehaus.groovy.runtime.GStringImpl)
      

      Do you think it can be fixed ob job dsl plugin side? Jenkins is warning it is not safe to whitelist those signatures globally.
      Thank you!

          [JENKINS-50712] branchSources in MultibranchWorkflowJob and PipelineJob asking for vulnerable signature approvals when running in sandbox

          Ah, this seems to be a problem of the Groovy Sandbox because Job DSL is using DELEGATE_FIRST as you mentioned.

          As a workaround, you can copy the binding variables to local variables:

          def repositoryOwner = GITHUB_REPO_OWNER
          def repositoryName = GITHUB_REPO_NAME
          def credentialsId = GIT_CREDENTIALS_ID
            
          multibranchPipelineJob(JENKINS_PROJECT_NAME) {
              branchSources {
                  github {
                      scanCredentialsId(credentialsId)
                      repoOwner(repositoryOwner)
                      repository(repositoryName)
                  }
              }
          }
          

          To you second problem. The scriptPath and lightweight options must be within the scm context. The error message is misleading, but again, that is a limitation of the Groovy Sandbox.

          And configure blocks currently do not work with the sandbox. That is a documented limitation. But you can use the Dynamic DSL to add any extension.

          pipelineJob('example-pipeline') {
              definition {
                  cpsScm {
                      scm {
                          git {
                              remote {
                                  url('someurl')
                                  credentials('github-access')
                              }
                              branches('master')
                              extensions {
                                  relativeTargetDirectory('DSL')
                                  pathRestriction {
                                      excludedRegions('some-region')
                                      includedRegions('some-region')
                                  }                      
                              }
                          }
                          scriptPath('somepath/Jenkinsfile')
                          lightweight(false)
                      }
                  }
              }
          }
          

          Next time, please open separate issue for distinct problems or ask on Stack Overflow or the Job DSL mailing list.

          Daniel Spilker added a comment - Ah, this seems to be a problem of the Groovy Sandbox because Job DSL is using DELEGATE_FIRST as you mentioned. As a workaround, you can copy the binding variables to local variables: def repositoryOwner = GITHUB_REPO_OWNER def repositoryName = GITHUB_REPO_NAME def credentialsId = GIT_CREDENTIALS_ID multibranchPipelineJob(JENKINS_PROJECT_NAME) { branchSources { github { scanCredentialsId(credentialsId) repoOwner(repositoryOwner) repository(repositoryName) } } } To you second problem. The scriptPath and lightweight options must be within the scm context. The error message is misleading, but again, that is a limitation of the Groovy Sandbox. And configure blocks currently do not work with the sandbox. That is a documented limitation. But you can use the Dynamic DSL to add any extension. pipelineJob( 'example-pipeline' ) { definition { cpsScm { scm { git { remote { url( 'someurl' ) credentials( 'github-access' ) } branches( 'master' ) extensions { relativeTargetDirectory( 'DSL' ) pathRestriction { excludedRegions( 'some-region' ) includedRegions( 'some-region' ) } } } scriptPath( 'somepath/Jenkinsfile' ) lightweight( false ) } } } } Next time, please open separate issue for distinct problems or ask on Stack Overflow or the Job DSL mailing list.

            Unassigned Unassigned
            iceiceice Alexey Grigorov
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: