Details
-
Type:
Bug
-
Status: Open (View Workflow)
-
Priority:
Major
-
Resolution: Unresolved
-
Component/s: job-dsl-plugin
-
Labels:
-
Environment:Jenkins 2.258
job-dsl plugin 1.77
script-security plugin 1.75
-
Similar Issues:
Description
The upgrade of script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure
{" closure. The following example pipelineJob script recreates the problem: {code:java}node('master') {
stage('jobDsl configure test') {
jobDsl(
sandbox: true,
scriptText: '''
pipelineJob('test-configure-job')
configure
}
''',
)
}
}
When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:
Processing provided DSL script java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;) at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at script$_run_closure1$_closure2.doCall(script:3) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566)
This does not happen with script-security plugin version 1.74.
Devin Nusbaum Do you have any comment on this issue, as it looks like you implemented the changes for SECURITY-2020?
My org is having similar issues, but we are not using the Job DSL plugin.
Rather, its dying when trying to execute a function that's marked as @NonCPS.
The groovy is:
// vars/doParallel.groovy @NonCPS def call(nodes, Closure body) { .... }