Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63788

Job Dsl "configure" block does not work with latest script-security plugin

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: job-dsl-plugin
    • Labels:
    • Environment:
      Jenkins 2.258
      job-dsl plugin 1.77
      script-security plugin 1.75
    • Similar Issues:

      Description

      The upgrade of script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure

      {" closure. The following example pipelineJob script recreates the problem: {code:java}

      node('master') {
        stage('jobDsl configure test') {
            jobDsl(
                sandbox: true,
                scriptText: '''
      pipelineJob('test-configure-job')
        configure

      { node ->       node.append(test('Testing...'))     }

      }
      ''',
              )
          }
      }

      
      

      When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

       Processing provided DSL script
       java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
       	at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
       	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
       	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
       	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
       	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
       	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
       	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
       	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
       	at script$_run_closure1$_closure2.doCall(script:3)
       	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       	at java.base/java.lang.reflect.Method.invoke(Method.java:566)

      This does not happen with script-security plugin version 1.74.

        Attachments

          Activity

          olindaspider Patrick McNerthney created issue -
          olindaspider Patrick McNerthney made changes -
          Field Original Value New Value
          Description The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          {color:#ff8b00}node('master') {{color}
          {color:#ff8b00}    stage('jobDsl configure test') {{color}
          {color:#ff8b00}        jobDsl({color}
          {color:#ff8b00}            sandbox: true,{color}
          {color:#ff8b00}            scriptText: '''\{color}
          {color:#ff8b00}pipelineJob('test-configure-job') {{color}
          {color:#ff8b00}    configure { node ->{color}
          {color:#ff8b00}        node.append(test('Testing...')){color}
          {color:#ff8b00}    }{color}
          {color:#ff8b00}}{color}
          {color:#ff8b00}''',{color}
          {color:#ff8b00}        ){color}
          {color:#ff8b00}    }{color}
          {color:#ff8b00}}{color}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:


           Processing provided DSL script
           java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
            at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
            at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at script$_run_closure1$_closure2.doCall(script:3)
          This does not happen with script-security plugin version 1.74.
          The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          {{node('master') {}}
          {{    stage('jobDsl configure test') {}}
          {{        jobDsl(}}
          {{            sandbox: true,}}
          {{            scriptText: '''\}}
          {{pipelineJob('test-configure-job') {}}
          {{    configure { node ->}}
          {{        node.append(test('Testing...'))}}
          {{    }}}
          {{}}}
          {{''',}}
          {{        )}}
          {{    }}}
          {{}}}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
          {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
          {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
          {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
          {{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
          {{ at script$_run_closure1$_closure2.doCall(script:3)}}
          {{ This does not happen with script-security plugin version 1.74.}}
          olindaspider Patrick McNerthney made changes -
          Description The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          {{node('master') {}}
          {{    stage('jobDsl configure test') {}}
          {{        jobDsl(}}
          {{            sandbox: true,}}
          {{            scriptText: '''\}}
          {{pipelineJob('test-configure-job') {}}
          {{    configure { node ->}}
          {{        node.append(test('Testing...'))}}
          {{    }}}
          {{}}}
          {{''',}}
          {{        )}}
          {{    }}}
          {{}}}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
          {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
          {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
          {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
          {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
          {{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
          {{ at script$_run_closure1$_closure2.doCall(script:3)}}
          {{ This does not happen with script-security plugin version 1.74.}}
          The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          {{node('master') {}}
           {{    stage('jobDsl configure test') {}}
           {{        jobDsl(}}
           {{            sandbox: true,}}
           {{            scriptText: '''}}
           {{pipelineJob('test-configure-job') {}}
           {{    configure { node ->}}
          {{        node.append(test('Testing...'))}}
          {{    }}}
          {{}}{{}}}
           {{''',}}
           {{        )}}
          {{    }}}
          {{}}{{}}}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
           {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
           {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
           {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
           \{{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
           \{{ at script$_run_closure1$_closure2.doCall(script:3)}}
           \{{ This does not happen with script-security plugin version 1.74.}}
          olindaspider Patrick McNerthney made changes -
          Description The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          {{node('master') {}}
           {{    stage('jobDsl configure test') {}}
           {{        jobDsl(}}
           {{            sandbox: true,}}
           {{            scriptText: '''}}
           {{pipelineJob('test-configure-job') {}}
           {{    configure { node ->}}
          {{        node.append(test('Testing...'))}}
          {{    }}}
          {{}}{{}}}
           {{''',}}
           {{        )}}
          {{    }}}
          {{}}{{}}}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
           {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
           {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
           {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
           \{{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
           \{{ at script$_run_closure1$_closure2.doCall(script:3)}}
           \{{ This does not happen with script-security plugin version 1.74.}}
          The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          {{node('master') {}}
           {{    stage('jobDsl configure test') {}}
           {{        jobDsl(}}
           {{            sandbox: true,}}
           {{            scriptText: '''}}
           {{pipelineJob('test-configure-job') {}}
           {{    configure { node ->}}
          {{        node.append(test('Testing...'))}}
          {{    } }}
          {{} }}
           {{''',}}
           {{        )}}
          {{    } }}
          {{} }}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
           {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
           {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
           {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
           \{{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
           \{{ at script$_run_closure1$_closure2.doCall(script:3)}}
           \{{ This does not happen with script-security plugin version 1.74.}}
          olindaspider Patrick McNerthney made changes -
          Description The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          {{node('master') {}}
           {{    stage('jobDsl configure test') {}}
           {{        jobDsl(}}
           {{            sandbox: true,}}
           {{            scriptText: '''}}
           {{pipelineJob('test-configure-job') {}}
           {{    configure { node ->}}
          {{        node.append(test('Testing...'))}}
          {{    } }}
          {{} }}
           {{''',}}
           {{        )}}
          {{    } }}
          {{} }}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
           {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
           {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
           {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
           \{{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
           \{{ at script$_run_closure1$_closure2.doCall(script:3)}}
           \{{ This does not happen with script-security plugin version 1.74.}}
          The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

           {{ node('master') { }}
           {{    stage('jobDsl configure test') { }}
           {{        jobDsl( }}
           {{            sandbox: true, }}
           {{            scriptText: ''' }}
           {{ pipelineJob('test-configure-job') { }}
           {{    configure { node -> }}
           {{        node.append(test('Testing...')) }}
           {{     } }}
           {{ } }}
           {{ ''', }}
           {{         ) }}
           {{     } }}
           {{ } }}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
           {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
           {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
           {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
           \{{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
           \{{ at script$_run_closure1$_closure2.doCall(script:3)}}
           \{{ This does not happen with script-security plugin version 1.74.}}
          olindaspider Patrick McNerthney made changes -
          Description The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

           {{ node('master') { }}
           {{    stage('jobDsl configure test') { }}
           {{        jobDsl( }}
           {{            sandbox: true, }}
           {{            scriptText: ''' }}
           {{ pipelineJob('test-configure-job') { }}
           {{    configure { node -> }}
           {{        node.append(test('Testing...')) }}
           {{     } }}
           {{ } }}
           {{ ''', }}
           {{         ) }}
           {{     } }}
           {{ } }}

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
           {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
           {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
           {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
           \{{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
           \{{ at script$_run_closure1$_closure2.doCall(script:3)}}
           \{{ This does not happen with script-security plugin version 1.74.}}
          The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
           {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
           {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
           {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
           \{{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
           \{{ at script$_run_closure1$_closure2.doCall(script:3)}}
           \{{ This does not happen with script-security plugin version 1.74.}}
          olindaspider Patrick McNerthney made changes -
          Description The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:

          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }

          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

          {{Processing provided DSL script}}
           {{ java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)}}
           {{    at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)}}
           {{    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)}}
           {{    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)}}
           \{{ at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)}}
           \{{ at script$_run_closure1$_closure2.doCall(script:3)}}
           \{{ This does not happen with script-security plugin version 1.74.}}
          The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:
          {code}
          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }
          {code}
          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

           
          {noformat}
           Processing provided DSL script
           java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
            at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
            at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at script$_run_closure1$_closure2.doCall(script:3)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.base/java.lang.reflect.Method.invoke(Method.java:566){noformat}
          This does not happen with script-security plugin version 1.74.
          olindaspider Patrick McNerthney made changes -
          Description The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:
          {code}
          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }
          {code}
          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:

           
          {noformat}
           Processing provided DSL script
           java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
            at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
            at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at script$_run_closure1$_closure2.doCall(script:3)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.base/java.lang.reflect.Method.invoke(Method.java:566){noformat}
          This does not happen with script-security plugin version 1.74.
          The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:
          {code:java}
          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }
          {code}
          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:
          {noformat}
           Processing provided DSL script
           java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
            at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
            at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at script$_run_closure1$_closure2.doCall(script:3)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.base/java.lang.reflect.Method.invoke(Method.java:566){noformat}
          This does not happen with script-security plugin version 1.74.
          olindaspider Patrick McNerthney made changes -
          Description The upgrade of the the script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:
          {code:java}
          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }
          {code}
          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:
          {noformat}
           Processing provided DSL script
           java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
            at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
            at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at script$_run_closure1$_closure2.doCall(script:3)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.base/java.lang.reflect.Method.invoke(Method.java:566){noformat}
          This does not happen with script-security plugin version 1.74.
          The upgrade of script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:
          {code:java}
          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }
          {code}
          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:
          {noformat}
           Processing provided DSL script
           java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
            at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
            at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at script$_run_closure1$_closure2.doCall(script:3)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.base/java.lang.reflect.Method.invoke(Method.java:566){noformat}
          This does not happen with script-security plugin version 1.74.
          olindaspider Patrick McNerthney made changes -
          Description The upgrade of script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" block.

          The following example pipelineJob script recreates the problem:
          {code:java}
          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }
          {code}
          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:
          {noformat}
           Processing provided DSL script
           java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
            at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
            at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at script$_run_closure1$_closure2.doCall(script:3)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.base/java.lang.reflect.Method.invoke(Method.java:566){noformat}
          This does not happen with script-security plugin version 1.74.
          The upgrade of script-security plugin from 1.74 to 1.75 broke the behavior of existing Job Dsl jobs. This occurs when the Job Dsl is run in a sandbox and uses a "configure {" closure.

          The following example pipelineJob script recreates the problem:
          {code:java}
          node('master') {
              stage('jobDsl configure test') {
                  jobDsl(
                     sandbox: true,
                     scriptText: '''
          pipelineJob('test-configure-job')
              configure { node ->
                  node.append(test('Testing...'))
              }
          }
          ''',
                  )
              }
          }
          {code}
          When this script is run in a sandbox, with "Enable script security for Job DSL scripts" checked, it fails with the following:
          {noformat}
           Processing provided DSL script
           java.lang.SecurityException: Rejecting unsandboxed method call: javaposse.jobdsl.dsl.jobs.WorkflowJob.invokeMethod(java.lang.String, [Ljava.lang.Object;)
            at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
            at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at script$_run_closure1$_closure2.doCall(script:3)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.base/java.lang.reflect.Method.invoke(Method.java:566){noformat}
          This does not happen with script-security plugin version 1.74.
          jglick Jesse Glick made changes -
          Labels regression
          jglick Jesse Glick made changes -
          Link This issue is caused by SECURITY-2020 [ SECURITY-2020 ]
          jglick Jesse Glick made changes -
          Component/s script-security-plugin [ 18520 ]

            People

            Assignee:
            daspilker Daniel Spilker
            Reporter:
            olindaspider Patrick McNerthney
            Votes:
            24 Vote for this issue
            Watchers:
            32 Start watching this issue

              Dates

              Created:
              Updated: