Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-57171

Permissive script security plugin is broken after updating to script security 1.58

    • 0.5

      After updating to Script Security 1.58 permissive script security no longer permits unsafe method calls.  I have -Dpermissive-script-security.enabled=no_security set up in the java args, and before upgrading to 1.58 I was receiving no warnings/errors when calling unsafe methods as expected. After upgrading I see many warnings in my pipeline log, such as:

      Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.

       

          [JENKINS-57171] Permissive script security plugin is broken after updating to script security 1.58

          Andrea Lai added a comment -

          Please find attached a copy of scscriptApproval.xmlriptApproval.xml

          Andrea Lai added a comment - Please find attached a copy of sc scriptApproval.xml riptApproval.xml

          Andrea Lai added a comment -

          I am re-opening as 2 people reported the change did not address the issue for some use cases.

           

          Andrea Lai added a comment - I am re-opening as 2 people reported the change did not address the issue for some use cases.  

          Also experiencing the same problem with the following version:
          Jenkins 2.168 
          Script Security 1.58 
          Permissive Script Security 0.3 
          Pipeline: Groovy 2.68

          Michelle Pogado added a comment - Also experiencing the same problem with the following version: Jenkins 2.168  Script Security 1.58  Permissive Script Security 0.3  Pipeline: Groovy 2.68

          I managed to reproduce the issue using both declarative and scriptable pipeline, when the plugin in enabled state. The build is permitted to invoke the signatures and they are logged in Jenkins log. The execution suggests several internal signatures for approval, even though they ware approved before.

          Oliver Gondža added a comment - I managed to reproduce the issue using both declarative and scriptable pipeline, when the plugin in enabled state. The build is permitted to invoke the signatures and they are logged in Jenkins log. The execution suggests several internal signatures for approval, even though they ware approved before.

          Oliver Gondža added a comment - - edited

          Alright, it turned out the changes in 1.58 uncovered a conceptual problem in the plugin. I have just release 0.5 with the new unsafe signature detection reworked.

          https://github.com/jenkinsci/permissive-script-security-plugin/commit/7458ae4d1363a95d78fb8212460b4056f4b205ee

          Oliver Gondža added a comment - - edited Alright, it turned out the changes in 1.58 uncovered a conceptual problem in the plugin. I have just release 0.5 with the new unsafe signature detection reworked. https://github.com/jenkinsci/permissive-script-security-plugin/commit/7458ae4d1363a95d78fb8212460b4056f4b205ee

          Brian Ray added a comment -

          0.5 seems to clear up the issue in my local test Jenkins now with permissive-script-security.enabled=true. We'll try 0.5 in production soon.

          Thank you olivergondza.

          Brian Ray added a comment - 0.5 seems to clear up the issue in my local test Jenkins now with permissive-script-security.enabled=true . We'll try 0.5 in production soon. Thank you olivergondza .

          X O added a comment -

          Hi,

          yes 0.5 fixes this issue but it generates another one: instead seeing the Pipeline script from SCM (SCM/Git) for the pipeline definition in the configure page according to what is written the config.xml of a pipeline job, we see pipeline script with an empty script.
          It's impossible to view it in the GUI. Interestingly, the correct configuration is used.
          Reverting to 0.3 fix this behavior but of course lead to the current issue.

          BTW, the current issue seems only cosmetic, isn't it? There is no real need for an admin to enable the use of the "unsecured" methods. At least my pipelines do what they are suppose to do?!

          We have a lot of plugins but here are some details of what is used:
          Jenkins: 2.179
          Script Security 1.60
          Permissive Script Security 0.3 or 0.5
          Pipeline Groovy 2.70
          Git 3.10.0

          Thanks

          X O added a comment - Hi, yes 0.5 fixes this issue but it generates another one: instead seeing the Pipeline script from SCM (SCM/Git) for the pipeline definition in the configure page according to what is written the config.xml of a pipeline job, we see pipeline script with an empty script. It's impossible to view it in the GUI. Interestingly, the correct configuration is used. Reverting to 0.3 fix this behavior but of course lead to the current issue. BTW, the current issue seems only cosmetic, isn't it? There is no real need for an admin to enable the use of the "unsecured" methods. At least my pipelines do what they are suppose to do?! We have a lot of plugins but here are some details of what is used: Jenkins: 2.179 Script Security 1.60 Permissive Script Security 0.3 or 0.5 Pipeline Groovy 2.70 Git 3.10.0 Thanks

          Lu Shen added a comment -

          We recently did an upgrade on Jenkins and plugins. The "permissive-script-security.enabled=true" setting used to allow scripts to be run in the pipeline but not any more after the upgrade.

          Jenkins log file would log issues like: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.security.MessageDigest getInstance java.lang.String and the scripts comes into "In-process script approval".

          Version info:

          Jenkins: 2.164.3
          Script Security 1.62
          Permissive Script Security 0.5
          Pipeline Groovy 2.73

          Lu Shen added a comment - We recently did an upgrade on Jenkins and plugins. The "permissive-script-security.enabled=true" setting used to allow scripts to be run in the pipeline but not any more after the upgrade. Jenkins log file would log issues like: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.security.MessageDigest getInstance java.lang.String and the scripts comes into "In-process script approval". Version info: Jenkins: 2.164.3 Script Security 1.62 Permissive Script Security 0.5 Pipeline Groovy 2.73

          shen3lu4, you are commenting on a once resolved issue. File a new one instead.

          Oliver Gondža added a comment - shen3lu4 , you are commenting on a once resolved issue. File a new one instead.

          Peter Wiseman added a comment -

          olivergondza do you have a reference for a new issue that you're working on?  Maybe JENKINS-59145 (Pipeline script UI) or JENKINS-59227 (Global Pipeline Libraries configuraton)?

          With Permissive Script Security at 0.5, the Global Pipeline Library SCM configuration information is no longer visible.  If that were all it might be ok, but upon saving, the configuration, is removed.

          Peter Wiseman added a comment - olivergondza do you have a reference for a new issue that you're working on?  Maybe  JENKINS-59145 (Pipeline script UI) or JENKINS-59227 (Global Pipeline Libraries configuraton)? With Permissive Script Security at 0.5, the Global Pipeline Library SCM configuration information is no longer visible.  If that were all it might be ok, but upon saving, the configuration, is removed.

            olivergondza Oliver Gondža
            gabloe Gabriel Loewen
            Votes:
            9 Vote for this issue
            Watchers:
            18 Start watching this issue

              Created:
              Updated:
              Resolved: