Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54952

Script Security seems to block ArrayList method as method on members when parantheses are omitted

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • script-security-plugin
    • None

      I think this issue was first reported in this comment of JENKINS-50470 but since it looks like a similar but different problem I'll try to expand on it here.

       

      When executing a Groovy system script from a file in the job workspace, invoking the size method on an ArrayList without parentheses the script security plugin raises the following error

       

      ERROR: Build step failed with exception
      {{ org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such field found: field java.lang.String size}}
      {{ at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:419)}}
      {{ at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:403)}}
      {{ at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)}}
      {{ at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)}}
      {{ at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:255)}}
      {{ at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty$0.callStatic(Unknown Source)}}
      {{ at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
      {{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
      {{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)}}
      {{ at Script1.run(Script1.groovy:3)}}
      {{ at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)}}
      {{ at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:333)}}
      {{ at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)}}
      {{ at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)}}
      {{ at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)}}
      {{ at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)}}
      {{ at hudson.model.Build$BuildExecution.build(Build.java:206)}}
      {{ at hudson.model.Build$BuildExecution.doRun(Build.java:163)}}
      {{ at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)}}
      {{ at hudson.model.Run.execute(Run.java:1810)}}
      {{ at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)}}
      {{ at hudson.model.ResourceController.execute(ResourceController.java:97)}}
      {{ at hudson.model.Executor.run(Executor.java:429)}}
      {{ Build step 'Execute system Groovy script' marked build as failure}}

      The script in question is

      list_of_str = []
      list_of_str = ['foobar', 'barbaz', 'bazqux']
      println "Size " + list_of_str.size

      As in the comment originally reporting the issue. Adding parentheses to list_of_str.size() works around the issue.

      Minimal job configurations that reproduce the failing case and the workaround are attached as failing_job.xml and passing_job.xml respectively. The scriptApproval.xml required for the passing job to actually pass is also attached. I've also uploaded a Docker image that may make reproducing and testing this issue more expedient. The instructions for the Docker image's use and the source for its creation are at https://github.com/nuclearsandwich/docker-jenkins-script-security-repro

        1. failing_job.xml
          1 kB
        2. passing_job.xml
          1 kB
        3. scriptApproval.xml
          0.4 kB

            Unassigned Unassigned
            nuclearsandwich Steven! Ragnarök
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: