Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64509

Script Security "approved assuming permission check" doesn't allow execution of approved methods

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • script-security-plugin
    • None
    • Jenkins 2.263.1
      Script Security 1.75

      Global security

      Project security on the folder "adder"

      Project security on the pipeline "adder/reader" not configured

      Body of "adder/reader" pipeline

      pipeline {
          agent any
          stages {
              stage ('read') { steps { script {
                  Jenkins.instance.items.each { 
                      println(it.name)
      } } } } } }
      

      Current list of script approval

      Expectation: "adder-admin" user has all permissions for "adder" folder. "method hudson.model.ItemGroup getItems" is "approved assuming permission check". Therefore, "adder-admin" user running "adder/reader" pipeline should list the names of all the jobs inside "adder" folder.

      Actual: "adder/reader" pipeline fails with the error "Scripts not permitted to use method hudson.model.ItemGroup getItems. Administrators can decide whether to approve or reject this signature."

      Console Output
      11:26:04  Started by user adder-admin
      11:26:04  Running in Durability level: PERFORMANCE_OPTIMIZED
      11:26:04  [Pipeline] Start of Pipeline
      11:26:04  [Pipeline] node
      11:26:04  Running on agent-inbound in /home/robot_acct/agent-inbound/workspace/adder/reader
      11:26:04  [Pipeline] {
      11:26:04  [Pipeline] stage
      11:26:04  [Pipeline] { (destroy)
      11:26:04  [Pipeline] script
      11:26:04  [Pipeline] {
      11:26:04  Scripts not permitted to use method hudson.model.ItemGroup getItems. Administrators can decide whether to approve or reject this signature.
      11:26:04  [Pipeline] }
      11:26:04  [Pipeline] // script
      11:26:04  [Pipeline] }
      11:26:04  [Pipeline] // stage
      11:26:05  [Pipeline] }
      11:26:05  [Pipeline] // node
      11:26:05  [Pipeline] End of Pipeline
      11:26:05  org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method hudson.model.ItemGroup getItems
      11:26:05  	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:265)
      11:26:05  	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$6.reject(SandboxInterceptor.java:289)
      11:26:05  	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:409)
      11:26:05  	at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:353)
      11:26:05  	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:357)
      11:26:05  	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
      11:26:05  	at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
      11:26:05  	at WorkflowScript.run(WorkflowScript:7)
      11:26:05  	at ___cps.transform___(Native Method)
      11:26:05  	at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
      11:26:05  	at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
      11:26:05  	at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:66)
      11:26:05  	at sun.reflect.GeneratedMethodAccessor500.invoke(Unknown Source)
      11:26:05  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      11:26:05  	at java.lang.reflect.Method.invoke(Method.java:498)
      11:26:05  	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      11:26:05  	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
      11:26:05  	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
      11:26:05  	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
      11:26:05  	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
      11:26:05  	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:129)
      11:26:05  	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:268)
      11:26:05  	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
      11:26:05  	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
      11:26:05  	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:51)
      11:26:05  	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:185)
      11:26:05  	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:400)
      11:26:05  	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$400(CpsThreadGroup.java:96)
      11:26:05  	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:312)
      11:26:05  	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:276)
      11:26:05  	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67)
      11:26:05  	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      11:26:05  	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:136)
      11:26:05  	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      11:26:05  	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
      11:26:05  	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      11:26:05  	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      11:26:05  	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      11:26:05  	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      11:26:05  	at java.lang.Thread.run(Thread.java:748)
      11:26:05  Finished: FAILURE

      The only workaround is to approve the method globally which is insecure.

      method hudson.model.ItemGroup getItems is the method specifically used in the documentation (https://plugins.jenkins.io/script-security/) to demonstrate how the "approve assuming permission check" works

      An administrator may instead click Approve assuming permission check for getItems; this will permit the call when run as an actual user (if the integrating plugin ever does so), while forbidding it when run as the system user (which is more typical). In this case, getItems is actually implemented to return only those jobs which the current user has access to, so if run in the former case (as a specific user), the description will show just those jobs they could see anyway.

      I've also tried running on the master which did not make a difference.

            Unassigned Unassigned
            calvinpark Calvin Park
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: