Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73861

NonCPS method in parallel() results to java.lang.SecurityException: Rejecting unsandboxed method

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • script-security-plugin
    • None
    • Jenkins 2.462.1
      script-security: 1354.va_70a_fe478c7f
      workflow-cps: 3953.v19f11da_8d2fa_

      When I run a NonCPS method in a parallel() it gets attacked by RejectEverythingInterceptor check. Look at this very simple scripted pipeline:

      @NonCPS
def parallelBlock() {
    return {echo("Hello World")}
}
parallel('linux_32': parallelBlock(), 'linux_64': parallelBlock())

      Exception:

      java.lang.SecurityException: Rejecting unsandboxed method call: WorkflowScript.invokeMethod(java.lang.String, [Ljava.lang.Object
at PluginClassLoader for script-security//org.kohsuke.groovy.sandbox.impl.RejectEverythingInterceptor.onMethodCall(RejectEverythingInterceptor.java:44)
at PluginClassLoader for script-security//org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:178)
at PluginClassLoader for script-security//org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:182)
at PluginClassLoader for script-security//org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:152)
at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:55)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:197)
at WorkflowScript$_parallelBlock_closure1.doCall(WorkflowScript:3)

      The workaround is to introduce an intermediate CPS method which calls the NonCPS method:

      @NonCPS
def parallelBlockBody() {
    echo("Hello World!")
}
def parallelBlock() {
    return {parallelBlockBody()}
}
parallel('linux_32': parallelBlock(), 'linux_64': parallelBlock())

      I suppose it is a bug, because I did not find in the description of parallel() that it does not support NonCPS.

      P. S.: I wanted to choose https://github.com/jenkinsci/groovy-sandbox , but it is not available in "Component/s" so I selected script-security-plugin.

            Unassigned Unassigned
            alexander_samoylov Alexander Samoylov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: