Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56682

Unable to use initializers in sandboxed Groovy scripts

    • script-security 1.61, workflow-cps 2.71

      Since workflow-cps 2.64/script-security 1.54, fields defined on the class for the script itself using @Field annotations or explicit class syntax, and static and instance initializer blocks for the script itself that reference other fields in the script, are rejected by the Groovy sandbox. This issue also affects the use of classes from shared libraries in initializers in Groovy scripts.

      Original reported case:

      The following pipeline works fine in 2.63:

      import groovy.transform.Field
      @Field final SOMETHING='bar'
      @Field final MY_CONSTANT="foo $SOMETHING"
      node() {
        do_stuff()
      }
      def do_stuff() {
        sh "echo $MY_CONSTANT"
      }
      

      With workflow-cps 2.64, this gives the following exception:

      Groovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding
         at groovy.lang.Binding.getVariable(Binding.java:58)
         at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264)
         at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
         at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
         at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
         at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
         at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
         at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
         at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
         at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442)
         at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434)
      Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason
         at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466)
         at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135)
         at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136)
         at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132)
         at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127)
         at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560)
         at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521)
         at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320)
         at hudson.model.ResourceController.execute(ResourceController.java:97)
         at hudson.model.Executor.run(Executor.java:429)
      Finished: FAILURE
      

          [JENKINS-56682] Unable to use initializers in sandboxed Groovy scripts

          I can confirm this issue with the mentioned versions. We downgraded script-security to 1.53 and workflow-cps to 2.63 to solve this issue.

          Tobias Richter added a comment - I can confirm this issue with the mentioned versions. We downgraded script-security to 1.53 and workflow-cps to 2.63 to solve this issue.

          Devin Nusbaum added a comment -

          I ran into this issue via a report from a customer. Here is a PR that I think will help: https://github.com/jenkinsci/script-security-plugin/pull/259. Still need to understand the scope of what was broken by SECURITY-1336.

          Devin Nusbaum added a comment - I ran into this issue via a report from a customer. Here is a PR that I think will help:  https://github.com/jenkinsci/script-security-plugin/pull/259 . Still need to understand the scope of what was broken by SECURITY-1336.

          Devin Nusbaum added a comment -

          A fix for this issue in Pipeline scripts was released in Pipeline: Groovy Plugin version 2.71. A fix for this issue in other kinds of sandboxed Groovy scripts was released in Script Security Plugin 1.61.

          Devin Nusbaum added a comment - A fix for this issue in Pipeline scripts was released in Pipeline: Groovy Plugin version 2.71. A fix for this issue in other kinds of sandboxed Groovy scripts was released in Script Security Plugin 1.61.

            dnusbaum Devin Nusbaum
            typz Francois Ferrand
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: