-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
CloudBees CI Managed Controller 2.375.3.4-rolling
workflow-cps-plugin 3606.v0b_d8b_e512dcf
script-security-plugin 1229.v4880b_b_e905a_6
When using a method reference as the value in a parallel step's map, I get a SecurityException.
Repro case:
A pipeline job with sandbox enabled and this script
def a() {
println 'hello world'
}
(this.&a)() // this is fine
parallel(['a': { -> this.a() }]) // this is also fine
parallel(['a': this.&a]) // throws SecurityException
Will throw an exception with this stack
java.lang.SecurityException: Rejecting unsandboxed method call: WorkflowScript.a() at org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:178) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:182) at org.kohsuke.groovy.sandbox.impl.SandboxedMethodClosure.doCall(SandboxedMethodClosure.java:26) at org.kohsuke.groovy.sandbox.impl.SandboxedMethodClosure.doCall(SandboxedMethodClosure.java:34) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1225) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034) at groovy.lang.Closure.call(Closure.java:420) at groovy.lang.Closure.call(Closure.java:414) at org.jenkinsci.plugins.workflow.cps.CpsBodyExecution.launch(CpsBodyExecution.java:134) at org.jenkinsci.plugins.workflow.cps.CpsBodyInvoker.launch(CpsBodyInvoker.java:188) at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.lambda$invokeBodiesAndSwitchToAsyncMode$0(DSL.java:784) at org.jenkinsci.plugins.workflow.cps.CpsStepContext.withBodyInvokers(CpsStepContext.java:534) at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.invokeBodiesAndSwitchToAsyncMode(DSL.java:774) at org.jenkinsci.plugins.workflow.cps.DSL$ThreadTaskImpl.eval(DSL.java:739) at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:198) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:420) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:330) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:294) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:139) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:30) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:70) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829)
This same job will work correctly without the sandbox.
This works correctly, even with the sandbox, on our previous Jenkins:
Jenkins 2.121.2 workflow-cps-plugin 2.61 script-security-plugin 1.49
(yes it's been a hot minute since the last upgrade)
