Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65378

Script Security Plugin v1.76 prevents saving of job configs

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Component/s: tfs-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.277.2 on CentOS Linux release 7.7.1908
    • Similar Issues:

      Description

      When trying to save a job configuration we get an error message and find that the configuration was not updated. In the logs the following is printed:

      2021-04-14 16:01:10.860+0000 [id=292]   WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID cc6c2a2f-2d73-4468-97fd-c5f8c688486a
      java.lang.IllegalArgumentException: Unable to convert to class hudson.plugins.parameterizedtrigger.BlockingBehaviour
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:753)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490)
              at org.kohsuke.stapler.RequestImpl.instantiate(RequestImpl.java:799)
      Caused: java.lang.IllegalArgumentException: Failed to convert the block parameter of the constructor public hudson.plugins.parameterizedtrigger.BlockableBuildTriggerConfig(java.lang.String,hudson.plugins.parameterizedtrigger.BlockingBehaviour,java.util.List,java.util.List)
              at org.kohsuke.stapler.RequestImpl.instantiate(RequestImpl.java:801)
              at org.kohsuke.stapler.RequestImpl.access$200(RequestImpl.java:85)
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:690)
      Caused: java.lang.IllegalArgumentException: Failed to instantiate class hudson.plugins.parameterizedtrigger.BlockableBuildTriggerConfig from {"projects":"PackageOnPremiseServer","block":true,"buildStepFailureThreshold":"FAILURE","failureThreshold":"FAILURE","unstableThreshold":"UNSTABLE","configs":{"properties":"Version=${build.version}\nbranch=${svn.base}\nBUILD_NUMBER=${BUILD_NUMBER}\nbuildType=onpremise\nserverTomcatVersion=${Tomcat_server}\nrdsTomcatVersion=${Tomcat_RDS}","textParamValueOnNewLine":false,"stapler-class":"hudson.plugins.parameterizedtrigger.PredefinedBuildParameters","$class":"hudson.plugins.parameterizedtrigger.PredefinedBuildParameters"}}
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:693)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:486)
              at hudson.model.Descriptor.newInstance(Descriptor.java:598)
      Caused: java.lang.Error: Failed to instantiate class hudson.plugins.parameterizedtrigger.BlockableBuildTriggerConfig from {"projects":"PackageOnPremiseServer","block":true,"buildStepFailureThreshold":"FAILURE","failureThreshold":"FAILURE","unstableThreshold":"UNSTABLE","configs":{"properties":"Version=${build.version}\nbranch=${svn.base}\nBUILD_NUMBER=${BUILD_NUMBER}\nbuildType=onpremise\nserverTomcatVersion=${Tomcat_server}\nrdsTomcatVersion=${Tomcat_RDS}","textParamValueOnNewLine":false,"stapler-class":"hudson.plugins.parameterizedtrigger.PredefinedBuildParameters","$class":"hudson.plugins.parameterizedtrigger.PredefinedBuildParameters"}}
              at hudson.model.Descriptor.newInstance(Descriptor.java:606)
              at hudson.model.Descriptor$NewInstanceBindInterceptor.onConvert(Descriptor.java:675)
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:633)
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:729)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490)
              at org.kohsuke.stapler.RequestImpl.instantiate(RequestImpl.java:799)
              at org.kohsuke.stapler.RequestImpl.access$200(RequestImpl.java:85)
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:690)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:486)
              at hudson.model.Descriptor.newInstance(Descriptor.java:598)
              at hudson.model.Descriptor.newInstancesFromHeteroList(Descriptor.java:1075)
              at hudson.model.Descriptor.newInstancesFromHeteroList(Descriptor.java:1037)
              at hudson.util.DescribableList.rebuildHetero(DescribableList.java:208)
              at hudson.model.Project.submit(Project.java:230)
              at hudson.model.Job.doConfigSubmit(Job.java:1335)
              at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:768)
              at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
              at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
              at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
              at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
              at org.kohsuke.stapler.SelectionInterceptedFunction$Adapter.invoke(SelectionInterceptedFunction.java:36)
              at org.kohsuke.stapler.verb.HttpVerbInterceptor.invoke(HttpVerbInterceptor.java:48)
              at org.kohsuke.stapler.SelectionInterceptedFunction.bindAndInvoke(SelectionInterceptedFunction.java:26)
              at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
              at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
      Caused: javax.servlet.ServletException
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:816)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
              at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
              at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694)
              at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
              at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
              at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
              at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
              at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
              at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
              at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
              at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
              at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
              at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
              at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:153)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:92)
              at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
              at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
              at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:92)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:218)
              at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
              at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
              at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109)
              at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
              at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
              at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
              at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.eclipse.jetty.server.Server.handle(Server.java:516)
              at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
              at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
              at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
              at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
              at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
              at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
              at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
              at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
              at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
              at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
              at java.lang.Thread.run(Thread.java:748)
      
      

      This appeared to point to the parameterized-trigger-plugin, hence disabled it and tried again. The job config still did not save, but generated this:

      2021-04-14 17:31:50.197+0000 [id=290]   WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID bdb42997-8101-4f42-a377-79f8cbbd4312
      java.lang.IllegalArgumentException: Unable to convert to class org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:753)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490)
              at org.kohsuke.stapler.RequestImpl.instantiate(RequestImpl.java:799)
      Caused: java.lang.IllegalArgumentException: Failed to convert the script parameter of the constructor public org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder(org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript,int,boolean)
              at org.kohsuke.stapler.RequestImpl.instantiate(RequestImpl.java:801)
              at org.kohsuke.stapler.RequestImpl.access$200(RequestImpl.java:85)
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:690)
      Caused: java.lang.IllegalArgumentException: Failed to instantiate class org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder from {"script":"String method = manager.envVars['method']\nString BUILD_USER= manager.envVars['BUILD_USER']\n\ndef text ='Checking ' + method + ' On all QA instances, Ran by: ' + BUILD_USER\nmanager.addShortText(text)","sandbox":false,"behavior":"0","stapler-class":"org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder","$class":"org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder"}
              at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:693)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490)
              at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:486)
              at hudson.model.Descriptor.newInstance(Descriptor.java:598)
      Caused: java.lang.Error: Failed to instantiate class org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder from {"script":"String method = manager.envVars['method']\nString BUILD_USER= manager.envVars['BUILD_USER']\n\ndef text ='Checking ' + method + ' On all QA instances, Ran by: ' + BUILD_USER\nmanager.addShortText(text)","sandbox":false,"behavior":"0","stapler-class":"org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder","$class":"org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder"}
              at hudson.model.Descriptor.newInstance(Descriptor.java:606)
              at hudson.model.Descriptor.newInstancesFromHeteroList(Descriptor.java:1075)
              at hudson.model.Descriptor.newInstancesFromHeteroList(Descriptor.java:1037)
              at hudson.util.DescribableList.rebuildHetero(DescribableList.java:208)
              at hudson.model.Project.submit(Project.java:231)
              at hudson.model.Job.doConfigSubmit(Job.java:1335)
              at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:768)
              at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
              at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
              at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
              at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
              at org.kohsuke.stapler.SelectionInterceptedFunction$Adapter.invoke(SelectionInterceptedFunction.java:36)
              at org.kohsuke.stapler.verb.HttpVerbInterceptor.invoke(HttpVerbInterceptor.java:48)
              at org.kohsuke.stapler.SelectionInterceptedFunction.bindAndInvoke(SelectionInterceptedFunction.java:26)
              at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
              at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
      Caused: javax.servlet.ServletException
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:816)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
              at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
              at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694)
              at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
              at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
              at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
              at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
              at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
              at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
              at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
              at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
              at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
              at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
              at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:153)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:92)
              at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
              at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
              at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:92)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:218)
              at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
              at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
              at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
              at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109)
              at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
              at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
              at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
              at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
              at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
              at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
              at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.eclipse.jetty.server.Server.handle(Server.java:516)
              at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
              at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
              at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
              at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
              at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
              at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
              at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
              at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
              at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
              at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
              at java.lang.Thread.run(Thread.java:748)
      
      

      We could not disable the script-security-plugin as there are a lot of other plugins that depend on it, hence downgraded it to 1.75. The job config could now be saved successfully. Once the job config was saved, we could then upgrade the script-security-plugin and still have that particular config saving successfully however other job configs were not saving.

      Further on, we tried by just downgrading the script-security-plugin (without disabling or downgrading the parameterized-trigger-plugin), saving job configs and then upgrading the script-security-plugin all over again. Unfortunately, we find that this process works only for individual job configurations. We keep creating and adding new configurations and it is not possible to follow this process as a regular method.

      FYI - I looked through existing issues with this plugin and found some that reported failing to save job configs but all appeared to be reported against older versions of the plugin.

        Attachments

          Activity

          Hide
          markewaite Mark Waite added a comment - - edited

          Upgrading and downgrading script security plugin will not resolve the issue. You're using plugins that are known to have security issues and known to have issues with configuration form modernization that was introduced in Jenkins 2.277.1. You'll need to remove those plugins.

          Please follow the instructions in the Jenkins 2.277.1 upgrade guide and in the Jenkins 2.277.1 upgrade webinar. The instructions include:

          • Remove plugins with known security issues
          • Remove unused plugins
          • Update to latest available plugin releases
          • Upgrade to Jenkins 2.277.2
          • Update to latest available plugin releases

          Remove plugins with known security issues

          • VS Team Services Continuous Deployment 1.3
          • Amazon SNS Build Notifier 1.13
          • LDAP Email Plugin 0.8
          • Repository Connector 1.3.1 (or update to Repository Connector 2.0.5 to resolve the issues)
          • Shared Objects Plugin 0.44
          • Team Foundation Server Plug-in 5.157.1

          Update to latest plugins

          • JavaScript GUI Lib:Handlebars bundle

          Remove deprecated plugins

          • environment script
          • multi branch project plugin
          • LDAP email
          • shared objects plugin
          • Team Foundation Server plugin (tfs)

          Those steps will likely already be enough to resolve the issue, since the Team Foundation Server plugin is known to have security issues and configuration form modernization issues.

          You should probably also consider

          Remove plugins that depend on ruby runtime (unsupported with Java 11, soon to be deprecated)

          • commit-message-trigger-plugin
          • ruby-runtime
          Show
          markewaite Mark Waite added a comment - - edited Upgrading and downgrading script security plugin will not resolve the issue. You're using plugins that are known to have security issues and known to have issues with configuration form modernization that was introduced in Jenkins 2.277.1. You'll need to remove those plugins. Please follow the instructions in the Jenkins 2.277.1 upgrade guide and in the Jenkins 2.277.1 upgrade webinar . The instructions include: Remove plugins with known security issues Remove unused plugins Update to latest available plugin releases Upgrade to Jenkins 2.277.2 Update to latest available plugin releases Remove plugins with known security issues VS Team Services Continuous Deployment 1.3 Amazon SNS Build Notifier 1.13 LDAP Email Plugin 0.8 Repository Connector 1.3.1 (or update to Repository Connector 2.0.5 to resolve the issues) Shared Objects Plugin 0.44 Team Foundation Server Plug-in 5.157.1 Update to latest plugins JavaScript GUI Lib:Handlebars bundle Remove deprecated plugins environment script multi branch project plugin LDAP email shared objects plugin Team Foundation Server plugin (tfs) Those steps will likely already be enough to resolve the issue, since the Team Foundation Server plugin is known to have security issues and configuration form modernization issues. You should probably also consider Remove plugins that depend on ruby runtime (unsupported with Java 11, soon to be deprecated) commit-message-trigger-plugin ruby-runtime
          Hide
          caseydaniell Casey added a comment -

          We are in the same boat as OP, where it's great that Jenkins community can tritely pass a rule and say, "it's not up to standards, so remove it", but realistily some orgs still need this antiquated software to perform builds. 

          Hopefully, someone can be granted maintainer access and fix the bug. Attaching another ticket with additional details below.

          https://issues.jenkins.io/browse/INFRA-2751

          Show
          caseydaniell Casey added a comment - We are in the same boat as OP, where it's great that Jenkins community can tritely pass a rule and say, "it's not up to standards, so remove it", but realistily some orgs still need this antiquated software to perform builds.  Hopefully, someone can be granted maintainer access and fix the bug. Attaching another ticket with additional details below. https://issues.jenkins.io/browse/INFRA-2751
          Hide
          markewaite Mark Waite added a comment -

          Casey you are welcome to continue using the TFS plugin with Jenkins 2.263.4 and older.

          You (or your company) are welcome to become a maintainer of the TFS plugin and help yourself and other users. If the TFS plugin is needed for your builds, maybe your company is willing to invest some time and talent to fix the issues in that plugin?

          You can also stay with Jenkins 2.263.4 if the TFS plugin is critical for your use case. By using the TFS plugin, you've accepted that the two known security issues in the TFS plugin are not critical to you. It doesn't seem to be a much larger stretch to accept that the known security issues in Jenkins 2.263.4 are not critical to you either.

          Show
          markewaite Mark Waite added a comment - Casey you are welcome to continue using the TFS plugin with Jenkins 2.263.4 and older. You (or your company) are welcome to become a maintainer of the TFS plugin and help yourself and other users. If the TFS plugin is needed for your builds, maybe your company is willing to invest some time and talent to fix the issues in that plugin? You can also stay with Jenkins 2.263.4 if the TFS plugin is critical for your use case. By using the TFS plugin, you've accepted that the two known security issues in the TFS plugin are not critical to you. It doesn't seem to be a much larger stretch to accept that the known security issues in Jenkins 2.263.4 are not critical to you either.
          Hide
          caseydaniell Casey added a comment -

          No need to be snarky.

          I am very aware of these options, however, we have limited resources and can't contribute to every open source project that we use on a regular basis.  I was pointing out how trite the "just uninstall it" comes across in comments – it's not always a possibility. I would love the have the security benefits of a newer version of Jenkins, but stuck here because the plugin won't support it. Happy to discuss elsewhere and not litter up comments about this. 

          Show
          caseydaniell Casey added a comment - No need to be snarky. I am very aware of these options, however, we have limited resources and can't contribute to every open source project that we use on a regular basis.  I was pointing out how trite the "just uninstall it" comes across in comments – it's not always a possibility. I would love the have the security benefits of a newer version of Jenkins, but stuck here because the plugin won't support it. Happy to discuss elsewhere and not litter up comments about this. 

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            suray Subhasis
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: