Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63788

Job Dsl "configure" block does not work with latest script-security plugin

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: job-dsl-plugin
    • Labels:
    • Environment:
      Jenkins 2.258
      job-dsl plugin 1.77
      script-security plugin 1.75
    • Similar Issues:

      Description

      The upgrade of script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure

      {" closure. The following example pipelineJob script recreates the problem: {code:java}

      node('master') {
        stage('jobDsl configure test') {
            jobDsl(
                sandbox: true,
                scriptText: '''
      pipelineJob('test-configure-job')
        configure

      { node ->       node.append(test('Testing...'))     }

      }
      ''',
              )
          }
      }

      
      

      When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

       Processing provided DSL script
       java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
       	at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
       	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
       	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
       	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
       	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
       	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
       	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
       	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
       	at script$_run_closure1$_closure2.doCall(script:3)
       	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       	at java.base/java.lang.reflect.Method.invoke(Method.java:566)

      This does not happen with script-security plugin version 1.74.

        Attachments

          Activity

          Hide
          mikeryan_tan Mike Ryan added a comment - - edited

          Devin Nusbaum Do you have any comment on this issue, as it looks like you implemented the changes for SECURITY-2020?

          My org is having similar issues, but we are not using the Job DSL plugin.
          Rather, its dying when trying to execute a function that's marked as @NonCPS.

          java.lang.SecurityException: Rejecting unsandboxed method call: doParallel.invokeMethod(java.lang.String, [Ljava.lang.Object;)
          	at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
          	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
          	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
          	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
          	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
          	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
          	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
          	at doParallel$_configureSlaveWithTarget_closure3.doCall(doParallel.groovy:64)
          	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
          	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          	at java.lang.reflect.Method.invoke(Method.java:498)
          	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
          	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
          	at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:294)
          	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
          	at groovy.lang.Closure.call(Closure.java:414)
          	at groovy.lang.Closure.call(Closure.java:408)
          	at org.jenkinsci.plugins.workflow.cps.CpsBodyExecution.launch(CpsBodyExecution.java:140)
          	at org.jenkinsci.plugins.workflow.cps.CpsBodyInvoker.launch(CpsBodyInvoker.java:187)
          	at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.lambda$invokeBodiesAndSwitchToAsyncMode$0(DSL.java:660)
          	at org.jenkinsci.plugins.workflow.cps.CpsStepContext.withBodyInvokers(CpsStepContext.java:537)
          	at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.invokeBodiesAndSwitchToAsyncMode(DSL.java:650)
          	at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.eval(DSL.java:615)
          	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:195)
          	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:400)
          	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$400(CpsThreadGroup.java:96)
          	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:312)
          	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:276)
          	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67)
          	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
          	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:136)
          	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
          	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
          	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
          	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
          	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
          	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
          	at java.lang.Thread.run(Thread.java:748)
          

          The groovy is:

          // vars/doParallel.groovy
          
          @NonCPS
          def call(nodes, Closure body) {
             ....
          }
          
          Show
          mikeryan_tan Mike Ryan added a comment - - edited Devin Nusbaum Do you have any comment on this issue, as it looks like you implemented the changes for SECURITY-2020? My org is having similar issues, but we are not using the Job DSL plugin. Rather, its dying when trying to execute a function that's marked as @NonCPS . java.lang.SecurityException: Rejecting unsandboxed method call: doParallel.invokeMethod(java.lang.String, [Ljava.lang.Object;) at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at doParallel$_configureSlaveWithTarget_closure3.doCall(doParallel.groovy:64) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:294) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022) at groovy.lang.Closure.call(Closure.java:414) at groovy.lang.Closure.call(Closure.java:408) at org.jenkinsci.plugins.workflow.cps.CpsBodyExecution.launch(CpsBodyExecution.java:140) at org.jenkinsci.plugins.workflow.cps.CpsBodyInvoker.launch(CpsBodyInvoker.java:187) at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.lambda$invokeBodiesAndSwitchToAsyncMode$0(DSL.java:660) at org.jenkinsci.plugins.workflow.cps.CpsStepContext.withBodyInvokers(CpsStepContext.java:537) at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.invokeBodiesAndSwitchToAsyncMode(DSL.java:650) at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.eval(DSL.java:615) at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:195) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:400) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$400(CpsThreadGroup.java:96) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:312) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:276) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:136) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) The groovy is: // vars/doParallel.groovy @NonCPS def call(nodes, Closure body) { .... }
          Hide
          dnusbaum Devin Nusbaum added a comment - - edited

          Fixing this issue requires changes to JobDSL plugin. I sketched out some possible approaches in this comment, but we need a JobDSL plugin maintainer to weigh in on how the relevant code works to understand the right way to fix it.

          Mike Ryan This ticket is specifically about JobDSL. If your issue is unrelated to JobDSL, please file a new issue with more details about the problem you are experiencing, full steps to reproduce, the content of the Pipeline that is calling the shared library, config files for the relevant Pipeline job and shared library, information about where they are defined, etc.

          Show
          dnusbaum Devin Nusbaum added a comment - - edited Fixing this issue requires changes to JobDSL plugin. I sketched out some possible approaches in this comment , but we need a JobDSL plugin maintainer to weigh in on how the relevant code works to understand the right way to fix it. Mike Ryan This ticket is specifically about JobDSL. If your issue is unrelated to JobDSL, please file a new issue with more details about the problem you are experiencing, full steps to reproduce, the content of the Pipeline that is calling the shared library, config files for the relevant Pipeline job and shared library, information about where they are defined, etc.
          Hide
          thesanedenis Denis added a comment -

          We got the same issue in 1.7.7. This issue blocks updating your Jenkins server. Do you planning to resolve this issue in nearest time or it will be better do not rely on this.

           

          Show
          thesanedenis Denis added a comment - We got the same issue in 1.7.7. This issue blocks updating your Jenkins server. Do you planning to resolve this issue in nearest time or it will be better do not rely on this.  
          Hide
          rlegrand reg leg added a comment -

          Hi all.

          Devin Nusbaum , first thanks for your investigations.

          We rely a lot on this jobdsl feature, and I don't have any workaround for that. You was looking for for a jobdsl maintainer, is there any kind of process to find one and can we hope a fix for this bug ?

          Otherwise any kind of workarround for this ( rest api to generate folders/jobs also doesn't work for me: other problem with oauth/folder authorizations bug).

          If I could help, I would but this is really out of my skills.

          If anyone has any idea about the time needed to solve this issue, I'm very interested.

           

           

          Show
          rlegrand reg leg added a comment - Hi all. Devin Nusbaum  , first thanks for your investigations. We rely a lot on this jobdsl feature, and I don't have any workaround for that. You was looking for for a jobdsl maintainer, is there any kind of process to find one and can we hope a fix for this bug ? Otherwise any kind of workarround for this ( rest api to generate folders/jobs also doesn't work for me: other problem with oauth/folder authorizations bug). If I could help, I would but this is really out of my skills. If anyone has any idea about the time needed to solve this issue, I'm very interested.    
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited

          this issue breaks completely the Multibranch pipeline jobs, because of https://issues.jenkins.io/browse/JENKINS-60874 the only way to configure the pull request discovery settings is a configure block, after jobDSL 1.75 it is not possible to configure pull request discovery settings anymore

            configure {
              // workaround for JENKINS-60874, JENKINS-57942, and JENKINS-46202
              // Discovers pull requests where the origin repository is the same as the target repository.
              // https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/OriginPullRequestDiscoveryTrait.java#L57-L72
              def traits = it / sources / data / 'jenkins.branch.BranchSource' / source / traits
              traits << 'org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait' {
                strategyId 1
                trust(class: 'org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission')
              }
              traits << 'org.jenkinsci.plugins.github__branch__source.OriginPullRequestDiscoveryTrait' {
                strategyId 1
              }
            }
          
          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited this issue breaks completely the Multibranch pipeline jobs, because of https://issues.jenkins.io/browse/JENKINS-60874 the only way to configure the pull request discovery settings is a configure block, after jobDSL 1.75 it is not possible to configure pull request discovery settings anymore configure { // workaround for JENKINS-60874, JENKINS-57942, and JENKINS-46202 // Discovers pull requests where the origin repository is the same as the target repository. // https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/OriginPullRequestDiscoveryTrait.java#L57-L72 def traits = it / sources / data / 'jenkins.branch.BranchSource' / source / traits traits << 'org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait' { strategyId 1 trust(class: 'org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission' ) } traits << 'org.jenkinsci.plugins.github__branch__source.OriginPullRequestDiscoveryTrait' { strategyId 1 } }

            People

            Assignee:
            daspilker Daniel Spilker
            Reporter:
            olindaspider Patrick McNerthney
            Votes:
            19 Vote for this issue
            Watchers:
            26 Start watching this issue

              Dates

              Created:
              Updated: