-
Bug
-
Resolution: Fixed
-
Critical
-
Jenkins: 2.168
Pipeline: Groovy 2.64
script-security: 1.54
-
-
script-security 1.61, workflow-cps 2.71
Since workflow-cps 2.64/script-security 1.54, fields defined on the class for the script itself using @Field annotations or explicit class syntax, and static and instance initializer blocks for the script itself that reference other fields in the script, are rejected by the Groovy sandbox. This issue also affects the use of classes from shared libraries in initializers in Groovy scripts.
Original reported case:
The following pipeline works fine in 2.63:
import groovy.transform.Field @Field final SOMETHING='bar' @Field final MY_CONSTANT="foo $SOMETHING" node() { do_stuff() } def do_stuff() { sh "echo $MY_CONSTANT" }
With workflow-cps 2.64, this gives the following exception:
Groovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding at groovy.lang.Binding.getVariable(Binding.java:58) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264) at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288) at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292) at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230) at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442) at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434) Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466) at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521) at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429) Finished: FAILURE
I can confirm this issue with the mentioned versions. We downgraded script-security to 1.53 and workflow-cps to 2.63 to solve this issue.