Loading...

Type: Bug
Resolution: Unresolved
Priority: Major
Component/s: script-security-plugin
Labels:
None
Environment:
Jenkins 2.401.3
* groovy:453.vcdb_a_c5c99890
* permissive-script-security:0.7

Similar Issues:

Show

Steps:

Run Jenkins in permisive mode.
Create a simple job.
Add Execute system Groovy script step with any Groovy class that creates it's instance.
Add another Execute system Groovy script step running exact same code in a file.

Attached example job and example Groovy file I'm running.

For a quick reference this is the Groovy code:

def out = getBinding().out;

class Blog {
    String name
    String subject
     
    Blog() {}
     
    Blog(String name, String subject) {
        this.name = name
        this.subject = subject
    }

    def info(def out, String info) {
      out.println([info, this.name, this.subject]);
    }
}

println("Test test.");

def blog = Blog.newInstance()
blog.info(out, "Test empty");

def blog2 = Blog.newInstance(['mrhaki', 'Groovy'] as Object[])
blog2.info(out, "Test via array");
 
def blog3 = Blog.newInstance([name:'mrhaki', subject: 'Groovy'])
blog3.info(out, "Test with names");

Even if creating classes is not supposed to be allowed, the message (in the log) still doesn't make sense to me. Personally, I believe it is wrong to forbid running Groovy from external files, as long as an admin allows it. I can do all kinds of bad stuff through shell anway.

Log:

Running as SYSTEM
Building in workspace /var/www/jenkins-data/workspace/test groovy
Test test.
[Test empty, null, null]
[Test via array, mrhaki, Groovy]
[Test with names, mrhaki, Groovy]
Test test.
[Test empty, null, null]
[Test via array, mrhaki, Groovy]
ERROR: Build step failed with exception
groovy.lang.MissingMethodException: No signature of method: java.lang.Class.newInstance() is applicable for argument types: (java.util.LinkedHashMap) values: [[name:mrhaki, subject:Groovy]]
Possible solutions: newInstance(), newInstance(), newInstance([Ljava.lang.Object;), isInstance(java.lang.Object)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:159)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:178)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:182)
	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:55)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:197)
	at Script1.run(Script1.groovy:27)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runScript(GroovySandbox.java:195)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:443)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:387)
	at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
	at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:818)
	at hudson.model.Build$BuildExecution.build(Build.java:199)
	at hudson.model.Build$BuildExecution.doRun(Build.java:164)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:526)
	at hudson.model.Run.execute(Run.java:1900)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:44)
	at hudson.model.ResourceController.execute(ResourceController.java:101)
	at hudson.model.Executor.run(Executor.java:442)
Build step 'Execute system Groovy script' marked build as failure
Finished: FAILURE

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

config.xml
3 kB
2023-08-03 16:17
miniClass.groovy
0.6 kB
2023-08-03 16:17

Details

Description

Attachments

Attachments

Activity

People

Dates