Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27952

Scriptsecurity: match regex not permitted with conditional build step plugin

    Details

    • Similar Issues:

      Description

      Hi,

      We have the following configuration in a job:

        <builders>
          <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
            <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
            <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
              <expression>[24][x0-9][0-9]{2}</expression>
              <label>${TYPE}</label>
            </runCondition>
        ...
      

      When the Script Security Plugin is installed, we get the following error:

      SEVERE: Failed Loading job MyJob
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
              at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
              at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
              at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
              at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
              at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:606)
              at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
              at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
              at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
              at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
              at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
              at Script1.run(Script1.groovy:1)
              at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
              at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
              at hudson.matrix.FilterScript.apply(FilterScript.java:85)
              at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
              at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
              at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
              at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
              at hudson.model.Items.load(Items.java:279)
              at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
              at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
              at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
              at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
              at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
              at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
              at java.lang.Thread.run(Thread.java:745)
      

      Note: The current workaround is to "Approve" the script via http://<jenkins-url>/scriptApproval/

        Attachments

          Activity

          tom_ghyselinck Tom Ghyselinck created issue -
          tom_ghyselinck Tom Ghyselinck made changes -
          Field Original Value New Value
          Description Hi,

          We have the following configuration in a job:

          {code}
            <builders>
              <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
                <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
                <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
                  <expression>[24][x0-9][0-9]{2}</expression>
                  <label>${TYPE}</label>
                </runCondition>
            ...
          {code}

          When the [https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin Script Security Plugin] is installed, we get the following error:

          {code}
          SEVERE: Failed Loading job MyJob
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
                  at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
                  at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
                  at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
                  at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
                  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
                  at Script1.run(Script1.groovy:1)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
                  at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
                  at hudson.matrix.FilterScript.apply(FilterScript.java:85)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
                  at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
                  at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
                  at hudson.model.Items.load(Items.java:279)
                  at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
                  at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
                  at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
                  at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
                  at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
                  at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:745)
          {code}
          Hi,

          We have the following configuration in a job:

          {code}
            <builders>
              <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
                <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
                <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
                  <expression>[24][x0-9][0-9]{2}</expression>
                  <label>${TYPE}</label>
                </runCondition>
            ...
          {code}

          When the [https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin Script Security Plugin] is installed, we get the following error:

          {code}
          SEVERE: Failed Loading job MyJob
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
                  at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
                  at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
                  at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
                  at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
                  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
                  at Script1.run(Script1.groovy:1)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
                  at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
                  at hudson.matrix.FilterScript.apply(FilterScript.java:85)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
                  at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
                  at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
                  at hudson.model.Items.load(Items.java:279)
                  at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
                  at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
                  at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
                  at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
                  at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
                  at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:745)
          {code}

          *Note*: The current _workaround_ is to "_Approve_" the script via [http://&lt;jenkins-url&gt;/scriptApproval/]
          tom_ghyselinck Tom Ghyselinck made changes -
          Environment Jenkins 1.596.2
          tom_ghyselinck Tom Ghyselinck made changes -
          Environment Jenkins 1.596.2 Jenkins 1.596.2 LTS
          Description Hi,

          We have the following configuration in a job:

          {code}
            <builders>
              <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
                <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
                <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
                  <expression>[24][x0-9][0-9]{2}</expression>
                  <label>${TYPE}</label>
                </runCondition>
            ...
          {code}

          When the [https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin Script Security Plugin] is installed, we get the following error:

          {code}
          SEVERE: Failed Loading job MyJob
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
                  at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
                  at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
                  at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
                  at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
                  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
                  at Script1.run(Script1.groovy:1)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
                  at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
                  at hudson.matrix.FilterScript.apply(FilterScript.java:85)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
                  at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
                  at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
                  at hudson.model.Items.load(Items.java:279)
                  at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
                  at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
                  at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
                  at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
                  at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
                  at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:745)
          {code}

          *Note*: The current _workaround_ is to "_Approve_" the script via [http://&lt;jenkins-url&gt;/scriptApproval/]
          Hi,

          We have the following configuration in a job:

          {code}
            <builders>
              <org.jenkinsci.plugins.conditionalbuildstep.ConditionalBuilder plugin="conditional-buildstep@1.3.3">
                <runner class="org.jenkins_ci.plugins.run_condition.BuildStepRunner$Fail" plugin="run-condition@1.0"/>
                <runCondition class="org.jenkins_ci.plugins.run_condition.core.ExpressionCondition" plugin="run-condition@1.0">
                  <expression>[24][x0-9][0-9]{2}</expression>
                  <label>${TYPE}</label>
                </runCondition>
            ...
          {code}

          When the [Script Security Plugin|https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin] is installed, we get the following error:

          {code}
          SEVERE: Failed Loading job MyJob
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter matchRegex java.lang.Object java.lang.Object
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:164)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:100)
                  at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:115)
                  at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:112)
                  at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
                  at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:43)
                  at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:99)
                  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
                  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
                  at Script1.run(Script1.groovy:1)
                  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
                  at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
                  at hudson.matrix.FilterScript.apply(FilterScript.java:85)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
                  at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
                  at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
                  at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
                  at hudson.model.Items.load(Items.java:279)
                  at jenkins.model.Jenkins$17.run(Jenkins.java:2673)
                  at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
                  at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
                  at jenkins.model.Jenkins$7.runTask(Jenkins.java:903)
                  at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
                  at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:745)
          {code}

          *Note*: The current _workaround_ is to "_Approve_" the script via [http://&lt;jenkins-url&gt;/scriptApproval/]
          Hide
          imod Dominik Bartholdi added a comment -

          this is the expected behaviour, when the script security plugin is installed, all groovy code executed should get checked before execution.

          as for now, it seems that the causing method in your case seems tobe added to the default whitelist now: https://github.com/abayer/script-security-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist

          Show
          imod Dominik Bartholdi added a comment - this is the expected behaviour, when the script security plugin is installed, all groovy code executed should get checked before execution. as for now, it seems that the causing method in your case seems tobe added to the default whitelist now: https://github.com/abayer/script-security-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
          imod Dominik Bartholdi made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Not A Defect [ 7 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 162551 ] JNJira + In-Review [ 196981 ]

            People

            • Assignee:
              domi Dominik Bartholdi
              Reporter:
              tom_ghyselinck Tom Ghyselinck
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: