Job Dsl "configure" block does not work with latest script-security plugin

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      The upgrade of script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" closure.

      The following example pipelineJob script recreates the problem:

      node('master') {
    stage('jobDsl configure test') {
        jobDsl(
            sandbox: true,
            scriptText: '''
pipelineJob('test-configure-job')
    configure { node ->
        node.append(test('Testing...'))
    }
}
''',
        )
    }
}

      When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

       Processing provided DSL script
 java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
 	at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
 	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
 	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
 	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
 	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
 	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
 	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
 	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
 	at script$_run_closure1$_closure2.doCall(script:3)
 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 	at java.base/java.lang.reflect.Method.invoke(Method.java:566)

      This does not happen with script-security plugin version 1.74.

            Assignee:
            Jamie Tanna
            Reporter:
            Patrick McNerthney
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Archived: