• Type: Bug
• Resolution: Fixed
• Priority: Major
• Component/s: permissive-script-security-plugin, script-security-plugin, workflow-cps-plugin
• Labels:

  • jenkins
  • script-security
  • security
• Environment:

  Jenkins 2.164.2
  Script Security 1.58
  Permissive Script Security 0.3
  Pipeline: Groovy 2.67

1. scriptApproval.xml

   5 kB

   2019-05-14 11:33

2. 

   example.JPG

   234 kB

   2019-05-14 11:27

[JENKINS-57171] Permissive script security plugin is broken after updating to script security 1.58

Gabriel Loewen created issue - 2019-04-24 17:05

Gabriel Loewen made changes - 2019-04-24 17:05

Description

Original: After updating to Script Security 1.58 permissive script security no longer permits unsafe method calls.  I have *-Dpermissive-script-security.enabled=no_security* set up in the java args, and before upgrading to 1.58 I was receiving no warnings/errors when calling unsafe methods.  After upgrading I see many warnings in my pipeline log, such as: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.

New: After updating to Script Security 1.58 permissive script security no longer permits unsafe method calls.  I have *-Dpermissive-script-security.enabled=no_security* set up in the java args, and before upgrading to 1.58 I was receiving no warnings/errors when calling unsafe methods as expected. After upgrading I see many warnings in my pipeline log, such as: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.

Collapse comment: Brian Ray added a comment - 2019-04-24 21:39

Brian Ray added a comment - 2019-04-24 21:39

I think the actual incompatibility is with workflow-cps-2.67, specifically #280 (JENKINS-34973). As noted at the top of the PR thread it is complementary to script-security-plugin/#243.

After running into the current issue with permissive-script-security-0.3, script-security-1.58, workflow-cps-2.67 I downgraded the latter plugin back to 2.66 and the issue disappeared.

There are two other interesting aspects in my troubleshooting attempts:

1. It does not seem possible to effectively whitelist the method, at least in the UI. I can whitelist it but on the next run the script security warning is logged again.
2. Reproduction is possible via a completely empty pipeline script.

Expand comment: Brian Ray added a comment - 2019-04-24 21:39

Brian Ray added a comment - 2019-04-24 21:39 I think the actual incompatibility is with workflow-cps-2.67 , specifically #280 ( JENKINS-34973 ). As noted at the top of the PR thread it is complementary to script-security-plugin/#243 . After running into the current issue with permissive-script-security-0.3 , script-security-1.58 , workflow-cps-2.67 I downgraded the latter plugin back to 2.66 and the issue disappeared. There are two other interesting aspects in my troubleshooting attempts: It does not seem possible to effectively whitelist the method, at least in the UI. I can whitelist it but on the next run the script security warning is logged again. Reproduction is possible via a completely empty pipeline script.

Brian Ray made changes - 2019-04-24 21:39

Component/s

New: workflow-cps-plugin [ 21713 ]

Brian Ray made changes - 2019-04-24 21:40

Environment

Original: Jenkins 2.164.2 Script Security 1.58 Permissive Script Security 0.3

New: Jenkins 2.164.2 Script Security 1.58 Permissive Script Security 0.3 Pipeline: Groovy 2.67

Brian Ray made changes - 2019-04-24 21:52

Link

New: This issue is caused by JENKINS-34973 [ JENKINS-34973 ]

Collapse comment: Julien Duchesne added a comment - 2019-05-06 15:36

Julien Duchesne added a comment - 2019-05-06 15:36

I can confirm what Brian says. Also, trying to approve the rejected methods froze our Jenkins instance (Actually, two of us made the same mistake on different instances). 

Expand comment: Julien Duchesne added a comment - 2019-05-06 15:36

Julien Duchesne added a comment - 2019-05-06 15:36 I can confirm what Brian says. Also, trying to approve the rejected methods froze our Jenkins instance (Actually, two of us made the same mistake on different instances). 

Collapse comment: Oliver Gondža added a comment - 2019-05-07 07:22

Oliver Gondža added a comment - 2019-05-07 07:22

Thanks, I managed to reproduce the problem introduced between script-security-1.57 and script-security-1.58. Let me see what we can do.

Expand comment: Oliver Gondža added a comment - 2019-05-07 07:22

Oliver Gondža added a comment - 2019-05-07 07:22 Thanks, I managed to reproduce the problem introduced between script-security-1.57 and script-security-1.58. Let me see what we can do.

Collapse comment: Oliver Gondža added a comment - 2019-05-09 10:04

Oliver Gondža added a comment - 2019-05-09 10:04

It is 4c12f752e15bdf1d879019e8157954688b35b104 in script-security that has caused this to break. On first glance, the problem appears fixable.

Expand comment: Oliver Gondža added a comment - 2019-05-09 10:04

Oliver Gondža added a comment - 2019-05-09 10:04 It is 4c12f752e15bdf1d879019e8157954688b35b104 in script-security that has caused this to break. On first glance, the problem appears fixable.

Oliver Gondža made changes - 2019-05-09 10:04

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Load more newer events