-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
jenkins 2.189 on java 1.8 with script-security 1.62
The generic whitelist has various methods on java.lang.CharSequence in place, for example:
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isAllWhitespace java.lang.CharSequence staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isDouble java.lang.CharSequence staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isFloat java.lang.CharSequence staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isInteger java.lang.CharSequence staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isLong java.lang.CharSequence staticMethod org.codehaus.groovy.runtime.StringGroovyMethods minus java.lang.CharSequence java.lang.Object staticMethod org.codehaus.groovy.runtime.StringGroovyMethods minus java.lang.CharSequence java.util.regex.Pattern staticMethod org.codehaus.groovy.runtime.StringGroovyMethods multiply java.lang.CharSequence java.lang.Number staticMethod org.codehaus.groovy.runtime.StringGroovyMethods normalize java.lang.CharSequence staticMethod org.codehaus.groovy.runtime.StringGroovyMethods padLeft java.lang.CharSequence java.lang.Number staticMethod org.codehaus.groovy.runtime.StringGroovyMethods padLeft java.lang.CharSequence java.lang.Number java.lang.CharSequence
However these do not match a string being passed in, even though java.lang.String implements java.lang.CharSequence.
A really simple testcase:
stage("test normalize") {
def foo = "thing goes here"
if (foo instanceof java.lang.CharSequence ) {
println foo
println foo.normalize()
}
}
This results in a sandbox exception of:
[Pipeline] stage
[Pipeline] { (test normalize)
[Pipeline] echo
thing goes here
Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods normalize java.lang.String. Administrators can decide whether to approve or reject this signature.
[Pipeline] }
[Pipeline] // stage
[Pipeline] End of Pipeline
[Bitbucket] Notifying commit build result
[Bitbucket] Build result notified
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods normalize java.lang.String
Specifically adding this to the whitelist:
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods normalize java.lang.String
Allows this testcase to run without exception.
This is fairly frustrating since upstream groovy says that the java.lang.String signature for these methods is deprecated with the signature with CharSequence being preferred, which is just an interface that java.lang.String implements.
Since I'd expect most people using these methods to be using them on strings it would be simple enough just to add the string signatures to the whitelist to resolve this.
