Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70108

Scripts not permitted to use new java.util.Properties

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • workflow-cps-plugin
    • None
    • Jenkins 2.361.4
      script-security : 1218.v39ca_7f7ed0a_c
      workflow-cps:3536.vb_8a_6628079d5
    • workflow-cps 3581.v2b_e4c99c76ed

      After migrate from :

      script-security : 1183.v774b_0b_0a_a_451
workflow-cps : 2801.vf82a_b_b_e3e8a_5

      to :

      script-security : 1218.v39ca_7f7ed0a_c
workflow-cps : 3536.vb_8a_6628079d5

      Our shared library throw the exception : Scripts not permitted to use new java.util.Properties. Administrators can decide whether to approve or reject this signature.

      The library use the readProperties Pipeline Utility Steps and is globally configured in Jenkins in the "Global Pipeline Libraries" section so it might be trusted, meaning they run without “sandbox” restrictions

        1. image-2022-12-12-11-33-34-349.png
          image-2022-12-12-11-33-34-349.png
          19 kB
        2. image-2022-12-12-11-34-58-556.png
          image-2022-12-12-11-34-58-556.png
          44 kB

          [JENKINS-70108] Scripts not permitted to use new java.util.Properties

          Björn Pedersen added a comment -

          Did you check

          https://github.com/jenkinsci/script-security-plugin/releases/tag/1218.v39ca_7f7ed0a_c 

          if the problem mentioned there applies to you?

          Björn Pedersen added a comment - Did you check https://github.com/jenkinsci/script-security-plugin/releases/tag/1218.v39ca_7f7ed0a_c   if the problem mentioned there applies to you?

          Cyril Pottiers added a comment -

          Hi pedersen,

          I don't understand how it can applies to Global Pipeline Libraries which run without sandbox restrictions 🤷‍♂️

          Cyril Pottiers added a comment - Hi pedersen , I don't understand how it can applies to Global Pipeline Libraries which run without sandbox restrictions 🤷‍♂️

          Devin Nusbaum added a comment -

          cpottiers I was not able to reproduce this with a simple global library that calls new java.util.Properties(). Can you provide full reproduction steps?

          Devin Nusbaum added a comment - cpottiers I was not able to reproduce this with a simple global library that calls new java.util.Properties() . Can you provide full reproduction steps?

          Cyril Pottiers added a comment - - edited

          Hi dnusbaum,

          1. create a git project my-lib which contains : 
            // file vars/myPipeline.groovy
#!/usr/bin/env groovy
def call() {
    pipeline {
        agent {
            label 'forge-agent'
        }
        stages {
            stage('My Stage') {
                steps {
                    script {
                        Properties props = readProperties(file: 'myFile.properties')
                        props.keys().each { k ->
                            println("key=${k} value=${props.get(k)}")
                        }
                    }
                }
            }
        }
    }
}
          2. import this project in the Jenkins Global configuration :
          3. create an other git project my-test which contains : 
            // file myFile.properties
db.url=localhost
db.user=mkyong
db.password=password 
            // file Jenkinsfile
@Library('test-pipeline') _
myPipeline()
          4. create a new Jenkins Pipeline Job which is configured has :

          The build is on error with :

          [Pipeline] End of Pipeline
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Properties
	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:238)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:179)
	at org.kohsuke.groovy.sandbox.impl.Checker$18.call(Checker.java:934)
	at org.kohsuke.groovy.sandbox.impl.Checker.preCheckedCast(Checker.java:939)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCast(Checker.java:838)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.cast(SandboxInvoker.java:58)
	at myPipeline.call(myPipeline.groovy:12)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.CastBlock$ContinuationImpl.cast(CastBlock.java:45)

          Cyril Pottiers added a comment - - edited Hi dnusbaum , create a git project my-lib which contains : // file vars/myPipeline.groovy #!/usr/bin/env groovy def call() {     pipeline {         agent {             label 'forge-agent'         }         stages {             stage( 'My Stage' ) {                 steps {                     script {                         Properties props = readProperties(file: 'myFile.properties' )                         props.keys().each { k ->                             println( "key=${k} value=${props.get(k)}" )                         }                     }                 }             }         }     } } import this project in the Jenkins Global configuration : create an other git project my-test which contains : // file myFile.properties db.url=localhost db.user=mkyong db.password=password // file Jenkinsfile @Library( 'test-pipeline' ) _ myPipeline() create a new Jenkins Pipeline Job which is configured has : The build is on error with : [Pipeline] End of Pipeline org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Properties at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:238) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:179) at org.kohsuke.groovy.sandbox.impl.Checker$18.call(Checker.java:934) at org.kohsuke.groovy.sandbox.impl.Checker.preCheckedCast(Checker.java:939) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCast(Checker.java:838) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.cast(SandboxInvoker.java:58) at myPipeline.call(myPipeline.groovy:12) at ___cps.transform___(Native Method) at com.cloudbees.groovy.cps.impl.CastBlock$ContinuationImpl.cast(CastBlock.java:45)

          Devin Nusbaum added a comment -

          cpottiers Thanks for the reproduction steps. The issue is somewhat obscure. I filed a PR that should fix it, see https://github.com/jenkinsci/workflow-cps-plugin/pull/640. In the meantime, you may be able work around the issue by replacing Properties props = readProperties(file: 'myFile.properties') with Map props = readProperties(file: 'myFile.properties'). Your original code causes a cast from Map to Properties which triggers the bug.

          Devin Nusbaum added a comment - cpottiers Thanks for the reproduction steps. The issue is somewhat obscure. I filed a PR that should fix it, see https://github.com/jenkinsci/workflow-cps-plugin/pull/640 . In the meantime, you may be able work around the issue by replacing Properties props = readProperties(file: 'myFile.properties') with Map props = readProperties(file: 'myFile.properties') . Your original code causes a cast from Map to Properties which triggers the bug.

          Devin Nusbaum added a comment -

          A fixed was released in Pipeline: Groovy plugin version 3581.v2b_e4c99c76ed.

          Devin Nusbaum added a comment - A fixed was released in Pipeline: Groovy plugin version 3581.v2b_e4c99c76ed .

            dnusbaum Devin Nusbaum
            cpottiers Cyril Pottiers
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: