[JENKINS-56682] Unable to use initializers in sandboxed Groovy scripts

Type: Bug
Resolution: Fixed
Priority: Critical
Component/s: script-security-plugin, workflow-cps-plugin
Labels:
- regression
Environment:
Jenkins: 2.168
Pipeline: Groovy 2.64
script-security: 1.54

Similar Issues:
Powered by SuggestiMate

Show
Released As:
script-security 1.61, workflow-cps 2.71

Since workflow-cps 2.64/script-security 1.54, fields defined on the class for the script itself using @Field annotations or explicit class syntax, and static and instance initializer blocks for the script itself that reference other fields in the script, are rejected by the Groovy sandbox. This issue also affects the use of classes from shared libraries in initializers in Groovy scripts.

Original reported case:

The following pipeline works fine in 2.63:

import groovy.transform.Field
@Field final SOMETHING='bar'
@Field final MY_CONSTANT="foo $SOMETHING"
node() {
  do_stuff()
}
def do_stuff() {
  sh "echo $MY_CONSTANT"
}

With workflow-cps 2.64, this gives the following exception:

Groovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding
   at groovy.lang.Binding.getVariable(Binding.java:58)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264)
   at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
   at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
   at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
   at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
   at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
   at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442)
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434)
Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466)
   at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521)
   at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320)
   at hudson.model.ResourceController.execute(ResourceController.java:97)
   at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE

links to

jenkinsci/script-security-plugin#259

jenkinsci/workflow-cps-global-lib-plugin#71

jenkinsci/workflow-cps-plugin#297

Francois Ferrand created issue - 2019-03-22 13:25

Francois Ferrand made changes - 2019-03-22 13:28

Description

Original: Since the workflow-cps was upgraded to 2.64, @Field annotations are not working anymore.

The following pipeline works fine in 2.63:
{code:java}
import groovy.transform.Field
@Field final SOMETHING='bar'
@Field final MY_CONSTANT="foo $SOMETHING"
node() {
do_stuff()
}
def do_stuff() {
sh "echo $MY_CONSTANT"
}
{code}
With workflow-cps 2.64, this gives the following exception:

{noformat}
roovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding at groovy.lang.Binding.getVariable(Binding.java:58) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264) at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288) at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292) at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230) at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442) at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434) Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466) at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521) at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429) Finished: FAILURE
{noformat}

New: Since the workflow-cps was upgraded to 2.64, @Field annotations are not working anymore.

The following pipeline works fine in 2.63:
{code:java}
import groovy.transform.Field
@Field final SOMETHING='bar'
@Field final MY_CONSTANT="foo $SOMETHING"
node() {
  do_stuff()
}
def do_stuff() {
  sh "echo $MY_CONSTANT"
}
{code}
With workflow-cps 2.64, this gives the following exception:

{noformat}
roovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding
   at groovy.lang.Binding.getVariable(Binding.java:58)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264)
   at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
   at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
   at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
   at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
   at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
   at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442)
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434)
Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466)
   at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521)
   at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320)
   at hudson.model.ResourceController.execute(ResourceController.java:97)
   at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE
{noformat}

Francois Ferrand made changes - 2019-03-22 13:28

Description

Original: Since the workflow-cps was upgraded to 2.64, @Field annotations are not working anymore.

The following pipeline works fine in 2.63:
{code:java}
import groovy.transform.Field
@Field final SOMETHING='bar'
@Field final MY_CONSTANT="foo $SOMETHING"
node() {
  do_stuff()
}
def do_stuff() {
  sh "echo $MY_CONSTANT"
}
{code}
With workflow-cps 2.64, this gives the following exception:

{noformat}
roovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding
   at groovy.lang.Binding.getVariable(Binding.java:58)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264)
   at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
   at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
   at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
   at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
   at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
   at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442)
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434)
Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466)
   at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521)
   at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320)
   at hudson.model.ResourceController.execute(ResourceController.java:97)
   at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE
{noformat}

New: Since the workflow-cps was upgraded to 2.64, @Field annotations are not working anymore.

The following pipeline works fine in 2.63:
{code:java}
import groovy.transform.Field
@Field final SOMETHING='bar'
@Field final MY_CONSTANT="foo $SOMETHING"
node() {
  do_stuff()
}
def do_stuff() {
  sh "echo $MY_CONSTANT"
}
{code}
With workflow-cps 2.64, this gives the following exception:

{noformat}
Groovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding
   at groovy.lang.Binding.getVariable(Binding.java:58)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264)
   at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
   at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
   at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
   at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
   at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
   at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442)
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434)
Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466)
   at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521)
   at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320)
   at hudson.model.ResourceController.execute(ResourceController.java:97)
   at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE
{noformat}

Francois Ferrand made changes - 2019-03-22 13:29

Environment

Original: Jenkins: 2.168
Pipeline: Groovy 2.64

New: Jenkins: 2.168
Pipeline: Groovy 2.64
script-security: 1.54

Tobias Richter added a comment - 2019-04-16 11:07

I can confirm this issue with the mentioned versions. We downgraded script-security to 1.53 and workflow-cps to 2.63 to solve this issue.

Tobias Richter added a comment - 2019-04-16 11:07 I can confirm this issue with the mentioned versions. We downgraded script-security to 1.53 and workflow-cps to 2.63 to solve this issue.

Jesse Glick made changes - 2019-06-04 18:59

Labels

New: regression

Jesse Glick made changes - 2019-06-04 19:00

Link

New: This issue is caused by SECURITY-1336 [ SECURITY-1336 ]

Devin Nusbaum made changes - 2019-06-04 19:01

Assignee

New: Devin Nusbaum [ dnusbaum ]

Jesse Glick made changes - 2019-06-04 19:01

Remote Link

New: This issue links to "script-security #259 (Web Link)" [ 23050 ]

Devin Nusbaum made changes - 2019-06-04 19:01

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Assignee:: Devin Nusbaum

Reporter:: Francois Ferrand

Votes:: 3 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2019-03-22 13:25

Updated:: 2019-07-05 21:05

Resolved:: 2019-07-05 18:56

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Tobias Richter added a comment - 2019-04-16 11:07

Expand comment: Tobias Richter added a comment - 2019-04-16 11:07

People

Dates