-
Bug
-
Resolution: Not A Defect
-
Major
-
Jenkins 2.121.3
Script Security Plugin 1.46
Hello,
I'm writing a plugin that parses a groovy script using a custom DSL. Running outside of the sandbox everything works as expected. Within the sandbox i'm receiving the following error:
groovy.lang.MissingPropertyException: No such property: github_enterprise for class: groovy.lang.Binding
at groovy.lang.Binding.getVariable(Binding.java:63)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264)
The DSL is basically a builder:
static SdpConfigObject parse(String script_text){ SdpConfigObject sdp_config = new SdpConfigObject() Binding our_binding = new Binding(sdp_config: sdp_config) CompilerConfiguration cc = new CompilerConfiguration() cc.addCompilationCustomizers(new SandboxTransformer()) cc.scriptBaseClass = SdpConfigBuilder.class.name GroovyShell sh = new GroovyShell(SdpConfigDsl.classLoader, our_binding, cc); SdpConfigSandbox sandbox = new SdpConfigSandbox() sandbox.register(); try { sh.evaluate script_text }finally { sandbox.unregister(); } return sdp_config }
We register our own sandbox to further restrict the parsing of this custom DSL into a config object.
What I've tried:
1. disabling our custom sandbox. made no difference. our sandbox for the script execution causes no problems when the pipeline itself isn't run in the cps sandbox.
2. @Whitelist -ing every method in the plugin.
3. adding a ProxyWhiteList:
@Extension public static class MiscWhitelist extends ProxyWhitelist { public MiscWhitelist() throws IOException { super(new StaticWhitelist( "method groovy.lang.Binding getProperty java.lang.String", "method groovy.lang.Binding getVariable java.lang.String" )); }
I saw a similar error message was happening in v1.45 around
No such property: <something> for class: groovy.lang.Binding
Any guidance would be appreciated.
Thank you!
[JENKINS-53791] Script Security Blocking Plugin DSL Execution
| Comment |
[ I think I figured it out. My builder relies on calls to properties that don't exist getting routed to the receiver's getProperty method. This _should_ be possible by adding a method signature to the WhiteList for the base class getProperty method (based on the SandboxInterceptor: [https://github.com/jenkinsci/script-security-plugin/blob/master/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java#L343-L356)] but i think the problem is that when the script gets executed the actual receiver class is something dynamically created like Script1 instead of SdpConfigBuilder. so adding a whitelist method signature of *"method org.boozallen.plugins.sdp.config.SdpConfigBuilder getProperty java.lang.String"* isn't doing anything. confirmed this is the problem by building a custom version of the plugin that invokes receiver.getProperty(property) when an MPE is thrown and everything started working. trying to figure out a fix and I'll submit a PR if I can find one. ] |
| Resolution | New: Not A Defect [ 7 ] | |
| Status | Original: Open [ 1 ] | New: Fixed but Unreleased [ 10203 ] |
| Status | Original: Fixed but Unreleased [ 10203 ] | New: Closed [ 6 ] |