Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52108

java.lang.UnsupportedOperationException: Refusing to marshal java.util.concurrent.atomic.AtomicInteger for security reasons; see https://jenkins.io/redirect/class-filter/

    XMLWordPrintable

Details

    Description

      I have used the code from https://github.com/jenkinsci/cloudbees-disk-usage-simple-plugin and modified it such that admin privileges are no longer needed to view the disk usage statistics. Whith the recent upgrade of Jenkins core I get:

      java.lang.UnsupportedOperationException: Refusing to marshal java.util.concurrent.atomic.AtomicInteger for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize com.cloudbees.simplediskusage.QuickDiskUsagePlugin#progress for class com.cloudbees.simplediskusage.QuickDiskUsagePlugin at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) Caused: java.io.IOException at hudson.XmlFile.write(XmlFile.java:200) at hudson.Plugin.save(Plugin.java:274) at com.cloudbees.simplediskusage.QuickDiskUsagePlugin$2.run(QuickDiskUsagePlugin.java:292) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

      Interestingly, the Cloubee-plugin from the repo itself does not show the problem, maybe the sourcecode visible is not the one used?

      Jenkins version now (from config.xml): 2.128

      (Sorry, if the mandatory component doesn't fit. I am not knowledgeable in the internal structure of components here.)

       

      Attachments

        Activity

          oleg_nenashev Oleg Nenashev added a comment -

          I confirm the defect in the code

          oleg_nenashev Oleg Nenashev added a comment - I confirm the defect in the code
          oleg_nenashev Oleg Nenashev added a comment -

          ndeloof aheritier ydubreuil recena PTAL. AFAIK you are the current maintainers

          oleg_nenashev Oleg Nenashev added a comment - ndeloof aheritier ydubreuil recena PTAL. AFAIK you are the current maintainers

          Latest commit hasn't found its way into a release and it uses an AtomicInteger , that's the reason your build doesn't work. You can rebase your patch on top of the latest released commit, ie 75faaaf2dc9, that will fix the issue. I'll discuss with ndeloof what we do of the latest commit.

          ydubreuil Yoann Dubreuil added a comment - Latest commit hasn't found its way into a release and it uses an AtomicInteger , that's the reason your build doesn't work. You can rebase your patch on top of the latest released commit, ie 75faaaf2dc9 , that will fix the issue. I'll discuss with ndeloof what we do of the latest commit.
          jungmi Michael Jung added a comment -

          Shouldn't AtomicInteger be secure? As a workaround removing the progress bar is okay. 

          jungmi Michael Jung added a comment - Shouldn't AtomicInteger be secure? As a workaround removing the progress bar is okay. 
          oleg_nenashev Oleg Nenashev added a comment -

          It is enough to make the fields transient, I do not see any reason to keep them persistent

          oleg_nenashev Oleg Nenashev added a comment - It is enough to make the fields transient, I do not see any reason to keep them persistent
          jungmi Michael Jung added a comment -

          In this case yes. But should an AtomicInteger never be serialized because it is not white-listed? Does it (or can it even) really violate security?

          jungmi Michael Jung added a comment - In this case yes. But should an AtomicInteger never be serialized because it is not white-listed? Does it (or can it even) really violate security?
          oleg_nenashev Oleg Nenashev added a comment -

          No, it does not violate security in implementations I know.

          The problem with AtomicInteger is that the serialized footprint in XML is pretty big && it may depend on the JVM (e.g. it may include extra classes like lock queue, etc.). So there is no universal way to whitelist it.

          oleg_nenashev Oleg Nenashev added a comment - No, it does not violate security in implementations I know. The problem with AtomicInteger is that the serialized footprint in XML is pretty big && it may depend on the JVM (e.g. it may include extra classes like lock queue, etc.). So there is no universal way to whitelist it.
          jungmi Michael Jung added a comment -

          You could probably write your own de-/serializer, since everything besides the value is irrelevant, but I get your point.

          How was it handled when you had a black- instead of a whitelist?

          jungmi Michael Jung added a comment - You could probably write your own de-/serializer, since everything besides the value is irrelevant, but I get your point. How was it handled when you had a black- instead of a whitelist?
          oleg_nenashev Oleg Nenashev added a comment -

          > How was it handled when you had a black- instead of a whitelist?

          It was permitted

          oleg_nenashev Oleg Nenashev added a comment - > How was it handled when you had a black- instead of a whitelist? It was permitted
          jungmi Michael Jung added a comment -

          I meant the "it may depend on the JVM" part. You simply had all potential auxillary classes serialized?

          jungmi Michael Jung added a comment - I meant the "it may depend on the JVM" part. You simply had all potential auxillary classes serialized?
          jungmi Michael Jung added a comment -

          The proposed change ("transient") worked for me, so ticket can be closed as far as I am concerned. Maybe ydubreuil or ndeloof want to keep it open to have a tag for a new release.

          jungmi Michael Jung added a comment - The proposed change ("transient") worked for me, so ticket can be closed as far as I am concerned. Maybe ydubreuil  or ndeloof want to keep it open to have a tag for a new release.
          pierrebtz Pierre Beitz added a comment -

          I see the field is now transient in the code, closing.

          pierrebtz Pierre Beitz added a comment - I see the field is now transient in the code, closing.

          People

            Unassigned Unassigned
            jungmi Michael Jung
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: