-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Critical
-
Component/s: script-security-plugin
-
None
-
Environment:Jenkins 2.263.1
Script Security 1.75
Global security
Project security on the folder "adder"
Project security on the pipeline "adder/reader" not configured
Body of "adder/reader" pipeline
pipeline {
agent any
stages {
stage ('read') { steps { script {
Jenkins.instance.items.each {
println(it.name)
} } } } } }
Current list of script approval
Expectation: "adder-admin" user has all permissions for "adder" folder. "method hudson.model.ItemGroup getItems" is "approved assuming permission check". Therefore, "adder-admin" user running "adder/reader" pipeline should list the names of all the jobs inside "adder" folder.
Actual: "adder/reader" pipeline fails with the error "Scripts not permitted to use method hudson.model.ItemGroup getItems. Administrators can decide whether to approve or reject this signature."
Console Output
11:26:04 Started by user adder-admin
11:26:04 Running in Durability level: PERFORMANCE_OPTIMIZED
11:26:04 [Pipeline] Start of Pipeline
11:26:04 [Pipeline] node
11:26:04 Running on agent-inbound in /home/robot_acct/agent-inbound/workspace/adder/reader
11:26:04 [Pipeline] {
11:26:04 [Pipeline] stage
11:26:04 [Pipeline] { (destroy)
11:26:04 [Pipeline] script
11:26:04 [Pipeline] {
11:26:04 Scripts not permitted to use method hudson.model.ItemGroup getItems. Administrators can decide whether to approve or reject this signature.
11:26:04 [Pipeline] }
11:26:04 [Pipeline] // script
11:26:04 [Pipeline] }
11:26:04 [Pipeline] // stage
11:26:05 [Pipeline] }
11:26:05 [Pipeline] // node
11:26:05 [Pipeline] End of Pipeline
11:26:05 org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method hudson.model.ItemGroup getItems
11:26:05 at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:265)
11:26:05 at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$6.reject(SandboxInterceptor.java:289)
11:26:05 at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:409)
11:26:05 at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:353)
11:26:05 at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:357)
11:26:05 at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
11:26:05 at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
11:26:05 at WorkflowScript.run(WorkflowScript:7)
11:26:05 at ___cps.transform___(Native Method)
11:26:05 at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
11:26:05 at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
11:26:05 at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:66)
11:26:05 at sun.reflect.GeneratedMethodAccessor500.invoke(Unknown Source)
11:26:05 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
11:26:05 at java.lang.reflect.Method.invoke(Method.java:498)
11:26:05 at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
11:26:05 at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
11:26:05 at com.cloudbees.groovy.cps.Next.step(Next.java:83)
11:26:05 at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
11:26:05 at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
11:26:05 at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:129)
11:26:05 at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:268)
11:26:05 at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
11:26:05 at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
11:26:05 at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:51)
11:26:05 at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:185)
11:26:05 at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:400)
11:26:05 at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$400(CpsThreadGroup.java:96)
11:26:05 at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:312)
11:26:05 at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:276)
11:26:05 at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67)
11:26:05 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
11:26:05 at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:136)
11:26:05 at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
11:26:05 at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
11:26:05 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
11:26:05 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
11:26:05 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
11:26:05 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
11:26:05 at java.lang.Thread.run(Thread.java:748)
11:26:05 Finished: FAILURE
The only workaround is to approve the method globally which is insecure.
method hudson.model.ItemGroup getItems is the method specifically used in the documentation (https://plugins.jenkins.io/script-security/)Â to demonstrate how the "approve assuming permission check" works
An administrator may instead click Approve assuming permission check for getItems; this will permit the call when run as an actual user (if the integrating plugin ever does so), while forbidding it when run as the system user (which is more typical). In this case, getItems is actually implemented to return only those jobs which the current user has access to, so if run in the former case (as a specific user), the description will show just those jobs they could see anyway.
I've also tried running on the master which did not make a difference.
