-
Bug
-
Resolution: Fixed
-
Major
-
Jenkins 2.164.2
Script Security 1.58
Permissive Script Security 0.3
Pipeline: Groovy 2.67
-
-
0.5
After updating to Script Security 1.58 permissive script security no longer permits unsafe method calls. I have -Dpermissive-script-security.enabled=no_security set up in the java args, and before upgrading to 1.58 I was receiving no warnings/errors when calling unsafe methods as expected. After upgrading I see many warnings in my pipeline log, such as:
Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.
- causes
-
-
- Open
-
- is caused by
-
-
- Resolved
-
- is related to
-
-
- Resolved
-
[JENKINS-57171] Permissive script security plugin is broken after updating to script security 1.58
Julien Duchesne
added a comment - I can confirm what Brian says. Also, trying to approve the rejected methods froze our Jenkins instance (Actually, two of us made the same mistake on different instances).
Julien Duchesne
added a comment - I can confirm what Brian says. Also, trying to approve the rejected methods froze our Jenkins instance (Actually, two of us made the same mistake on different instances). Thanks, I managed to reproduce the problem introduced between script-security-1.57 and script-security-1.58. Let me see what we can do.
It is 4c12f752e15bdf1d879019e8157954688b35b104 in script-security that has caused this to break. On first glance, the problem appears fixable.
We are still seeing
Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint.
even after applying 0.4
carej, be more specific. The problem this issue addresses is that even when the signature is explicitly whitelisted, it is still reported/blocked (depending on your config). Is that signature whitelisted on your instance? How is the plugin configured?
carej, strange, can you provide as with a minimal reproducer of what you are observing?
Andrea Lai
added a comment - I am still seen the issue as well.
Step:
1. Create Pipeline job: "pipeline {agent
{ label 'master'}stages {stage('Clear working directory') {steps {ansiColor('xterm')
{deleteDir()}}}}}"
2. Run the job above and it passes with lots of "Scripts not permitted to use new ..."
3. Go to Script Approval page and approve everything.
4. The Approval page does not have any pending approvals.
5 .Run the Pipeline job again
6. Job above passes with lots of "Scripts not permitted to use new ..." again
7. Go to Script Approval page and all the pending approvals are back even if they are already listed in the "Signatures already approved:" section.
Andrea Lai
added a comment - I am still seen the issue as well.
Step:
1. Create Pipeline job: "pipeline {agent
{ label 'master'}
stages {stage('Clear working directory') {steps {ansiColor('xterm')
{deleteDir()}
}}}}"
2. Run the job above and it passes with lots of "Scripts not permitted to use new ..."
3. Go to Script Approval page and approve everything.
4. The Approval page does not have any pending approvals.
5 .Run the Pipeline job again
6. Job above passes with lots of "Scripts not permitted to use new ..." again
7. Go to Script Approval page and all the pending approvals are back even if they are already listed in the "Signatures already approved:" section.
I am attaching a screenshot showing the Approval page asking to approve items already in the "Signatures already approved" 
Andrea Lai
added a comment - - edited I am attaching a screenshot showing the Approval page asking to approve items already in the "Signatures already approved" 
Andrea Lai
added a comment - Please find attached a copy of sc scriptApproval.xml riptApproval.xml Andrea Lai
added a comment - I am re-opening as 2 people reported the change did not address the issue for some use cases.
Andrea Lai
added a comment - I am re-opening as 2 people reported the change did not address the issue for some use cases.
Also experiencing the same problem with the following version:
Jenkins 2.168
Script Security 1.58
Permissive Script Security 0.3
Pipeline: Groovy 2.68
I managed to reproduce the issue using both declarative and scriptable pipeline, when the plugin in enabled state. The build is permitted to invoke the signatures and they are logged in Jenkins log. The execution suggests several internal signatures for approval, even though they ware approved before.
Alright, it turned out the changes in 1.58 uncovered a conceptual problem in the plugin. I have just release 0.5 with the new unsafe signature detection reworked.
0.5 seems to clear up the issue in my local test Jenkins now with permissive-script-security.enabled=true. We'll try 0.5 in production soon.
Thank you olivergondza.
Hi,
yes 0.5 fixes this issue but it generates another one: instead seeing the Pipeline script from SCM (SCM/Git) for the pipeline definition in the configure page according to what is written the config.xml of a pipeline job, we see pipeline script with an empty script.
It's impossible to view it in the GUI. Interestingly, the correct configuration is used.
Reverting to 0.3 fix this behavior but of course lead to the current issue.
BTW, the current issue seems only cosmetic, isn't it? There is no real need for an admin to enable the use of the "unsecured" methods. At least my pipelines do what they are suppose to do?!
We have a lot of plugins but here are some details of what is used:
Jenkins: 2.179
Script Security 1.60
Permissive Script Security 0.3 or 0.5
Pipeline Groovy 2.70
Git 3.10.0
Thanks
Lu Shen
added a comment - We recently did an upgrade on Jenkins and plugins. The "permissive-script-security.enabled=true" setting used to allow scripts to be run in the pipeline but not any more after the upgrade.
Jenkins log file would log issues like: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.security.MessageDigest getInstance java.lang.String and the scripts comes into "In-process script approval".
Version info:
Jenkins: 2.164.3
Script Security 1.62
Permissive Script Security 0.5
Pipeline Groovy 2.73
Lu Shen
added a comment - We recently did an upgrade on Jenkins and plugins. The "permissive-script-security.enabled=true" setting used to allow scripts to be run in the pipeline but not any more after the upgrade.
Jenkins log file would log issues like: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.security.MessageDigest getInstance java.lang.String and the scripts comes into "In-process script approval".
Version info:
Jenkins: 2.164.3
Script Security 1.62
Permissive Script Security 0.5
Pipeline Groovy 2.73 shen3lu4, you are commenting on a once resolved issue. File a new one instead.
olivergondza do you have a reference for a new issue that you're working on? Maybe JENKINS-59145 (Pipeline script UI) or JENKINS-59227 (Global Pipeline Libraries configuraton)?
With Permissive Script Security at 0.5, the Global Pipeline Library SCM configuration information is no longer visible. If that were all it might be ok, but upon saving, the configuration, is removed.
I think the actual incompatibility is with workflow-cps-2.67, specifically #280 (
JENKINS-34973). As noted at the top of the PR thread it is complementary to script-security-plugin/#243.After running into the current issue with permissive-script-security-0.3, script-security-1.58, workflow-cps-2.67 I downgraded the latter plugin back to 2.66 and the issue disappeared.
There are two other interesting aspects in my troubleshooting attempts: