-
Bug
-
Resolution: Unresolved
-
Critical
-
Version: 2.401.3
A few days ago, our team was forced to upgrade Jenkins from version 2.401.1 to version 2.401.3 after some plugins demanded upgrade. Our Jenkins instance is managed by Kubernetes Operator, since we have it within a EKS cluster.
After upgrading the image, some plugins demanded upgrades as well, so we did that too. Unfortunately, when I try to execute any pipeline, the following error shows:
Scripts not permitted to use new java.util.Properties. Administrators can decide whether to approve or reject this signature. Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: e4b183a4-4d52-473d-96a8-01cec67abc75 org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Properties at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:238) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:198) at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:227) at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:232) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.constructorCall(SandboxInvoker.java:21) at org.jenkinsci.plugins.workflow.cps.LoggingInvoker.constructorCall(LoggingInvoker.java:110) at pipelinenpm.call(pipelinenpm.groovy:53) at WorkflowScript.run(WorkflowScript:1) at ___cps.transform___(Native Method) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:100) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixName(FunctionCallBlock.java:80) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source) at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72) at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21) at com.cloudbees.groovy.cps.Next.step(Next.java:83) at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:152) at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:146) at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:136) at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:275) at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:146) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:51) at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:187) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:423) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:331) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:295) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:97) at java.base/java.util.concurrent.FutureTask.run(Unknown Source) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:139) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68) at jenkins.util.ErrorLoggingExecutorService.lambda$wrap$0(ErrorLoggingExecutorService.java:51) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.base/java.util.concurrent.FutureTask.run(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source)
Since we're managing Jenkins with Jenkins Operator, if I approve those changes from the GUI console they won't be persisted if the pod restarts at any time.
What's concerning about this situation is that we currently have a ConfigMap where we approve basically all scripts, and that's attached to the CRD of Jenkins.
Listing here my plugin versions:
kubernetes: 3971.v94b_4c914ca_75 workflow-job: 1326.ve643e00e9220 workflow-aggregator: '2.6' git: 5.1.0 job-dsl: '1.77' configuration-as-code: 1670.v564dc8b_982d0 ansicolor: 0.7.4 ssh-credentials: 326.v7fcb_a_ef6194b_ sshd: 3.303.vefc7119b_ec23 git-client: 4.4.0 kubernetes-credentials-provider: '0.22' kubernetes-client-api: 6.4.1-215.v2ed17097a_8e9 kubernetes-credentials: 0.10.0 name: view-job-filters: '2.3' categorized-view: '1.11' performance: '3.17' github: 1.29.4 github-pullrequest: 0.2.6 rebuild: '1.29' sonar: '2.11' jobConfigHistory: 2.28.1 simple-theme-plugin: '0.6' pipeline-model-extensions: 2.2141.v5402e818a_779 pipeline-model-definition: 2.2121.vd87fb_6536d1e oic-auth: '1.8' role-strategy: 3.2.0 parameter-separator: '1.3' prometheus: 2.0.10 gitlab-plugin: 1.6.1 material-theme: 0.5.2-rc100.6121925fe229 instance-identity: 142.v04572ca_5b_265 mailer: 463.vedf8358e006b_ snakeyaml-api: 2.2-111.vc6598e30cc65 script-security: 1294.v99333c047434
I'm leaving here the relevant fragment of the ConfigMap where it can be seen that all scripts should be approved.
apiVersion: v1 kind: ConfigMap metadata: name: jenkins-operator-casc-configuration namespace: default labels: app: jenkins-operator jenkins-cr: ci watch: 'true' data: 2-configure-in-process-script-approvals.groovy: > import java.lang.reflect.*; import jenkins.model.Jenkins; import jenkins.model.*; import org.jenkinsci.plugins.scriptsecurity.scripts.*; import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.*; signatures = [ 'field jenkins.security.apitoken.ApiTokenStore$TokenUuidAndPlainValue plainValue', 'method groovy.json.JsonBuilder call java.util.List', 'method groovy.json.JsonSlurper parseText java.lang.String', 'method groovy.json.JsonSlurperClassic parseText', 'method groovy.lang.Binding getVariable java.lang.String', 'method groovy.lang.Binding getVariables', 'method groovy.lang.Binding hasVariable java.lang.String', 'method groovy.lang.Closure getMaximumNumberOfParameters', 'method groovy.lang.GString plus java.lang.String', 'method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object', 'method hudson.model.Actionable getAction java.lang.Class', 'method hudson.model.Actionable getActions', 'method hudson.model.Cause$UpstreamCause getUpstreamProject', 'method hudson.model.Cause$UserIdCause getUserId', 'method hudson.model.Cause$UserIdCause getUserName', 'method hudson.model.Item getFullName', 'method hudson.model.Item getUrl', 'method hudson.model.ItemGroup getAllItems java.lang.Class', 'method hudson.model.ItemGroup getItem java.lang.String', 'method hudson.model.Job getBuildByNumber int', 'method hudson.model.Job getLastBuild', 'method hudson.model.Job getLastSuccessfulBuild', 'method hudson.model.Job isBuilding', 'method hudson.model.Run getCause java.lang.Class', 'method hudson.model.Run getCauses', 'method hudson.model.Run getEnvironment hudson.model.TaskListener', 'method hudson.model.Run getLogFile', 'method hudson.model.Run getNumber', 'method hudson.model.Run getParent', 'method hudson.model.Run getResult', 'method hudson.model.Run getUrl', 'method hudson.model.Saveable save', 'method hudson.model.User getProperty java.lang.Class', 'method hudson.plugins.git.GitSCM getUserRemoteConfigs', 'method hudson.plugins.git.UserRemoteConfig getUrl', 'method java.io.File delete', 'method java.util.Dictionary get java.lang.Object', 'method java.util.Map containsKey java.lang.Object', 'method java.util.Map entrySet', 'method java.util.Map get java.lang.Object', 'method java.util.Map keySet', 'method java.util.Map putAll java.util.Map', 'method java.util.Map remove java.lang.Object', 'method java.util.Map size', 'method java.util.Map values', 'method java.util.Properties load java.io.Reader', 'method jenkins.security.ApiTokenProperty getTokenStore', 'method jenkins.security.apitoken.ApiTokenStore generateNewToken java.lang.String', 'method org.jenkinsci.plugins.workflow.steps.FlowInterruptedException getCauses', 'method org.jenkinsci.plugins.workflow.support.steps.build.RunWrapper getRawBuild', 'new java.io.File java.lang.String', 'new java.lang.String java.lang.String', 'new java.text.SimpleDateFormat java.lang.String java.util.Locale', 'new java.util.Properties', 'staticMethod hudson.console.ModelHyperlinkNote encodeTo java.lang.String java.lang.String', 'staticMethod hudson.model.User get java.lang.String', 'staticMethod hudson.model.User get java.lang.String boolean', 'staticMethod hudson.model.User get org.acegisecurity.Authentication', 'staticMethod jenkins.model.Jenkins getInstance', 'staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods findAll java.lang.Object groovy.lang.Closure', 'staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods invokeMethod java.lang.Object java.lang.String java.lang.Object', 'staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods newReader java.net.URL', 'staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods println groovy.lang.Closure java.lang.Object' ] scriptApproval = ScriptApproval.get() alreadyApproved = new HashSet<>(Arrays.asList(scriptApproval.getApprovedSignatures())) signatures .findAll { !alreadyApproved.contains(it) } .each { scriptApproval.approveSignature(it) } scriptApproval.save()