Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31234

Unable to reference Calendar.instance.get(Calendar.DAY_OF_MONTH) in matrix job's combination filter

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Environment:
      We're running Jenkins core version LTS 1.596.3 and the plugins listed in attachment "cci_1747__plugin_versions.txt". The master and slaves on Windows Server 2008.
    • Similar Issues:

      Description

      We get an exception in Jenkins when trying to reference Calendar.instance.get(Calendar.DAY_OF_MONTH) in a Matrix job's Combination Filter.

      Intent: We use this technique to build half of our build variants one night and then the other half the next night.

      To Reproduce: I've attached (file "cci_1747__job_xml.txt") a simple matrix job with which I re-created the problem on a test instance of Jenkins. Import this into Jenkins and run it to ensure it's okay. Next, in its configuration, scroll down to heading "Configuration Matrix" and
      check ON checkbox "Combination Filter" and enter (index%2 == Calendar.instance.get(Calendar.DAY_OF_MONTH)%2) into textbox "Filter". Finally, click button "Save" at the bottom of the page.

      Here's a screenshot of my attempt (including the help text):

      Expected Results: To correctly save the configuration and run half of the variants for each nightly run.

      Actual Results: An exception is thrown upon clicking button "Save" in the job's configuration screen. The job configuration is not saved and therefore remains unmodified.

      Here's a screenshot from the web-page just after clicking button "Save":

      And here's the stack trace from that web-page, copy-pasted as plain text:

      Stack trace
      
      javax.servlet.ServletException: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified field java.lang.Class instance
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
          at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:249)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
          at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
          at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
          at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:198)
          at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:176)
          at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:85)
          at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:99)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
          at hudson.plugins.audit_trail.AuditTrailFilter.doFilter(AuditTrailFilter.java:95)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
          at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
          at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
          at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
          at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
          at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
          at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
          at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
          at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
          at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
          at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
          at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
          at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
          at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
          at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
          at org.eclipse.jetty.server.Server.handle(Server.java:370)
          at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
          at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
          at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
          at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
          at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
          at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
          at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
          at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
          at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
          at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
          at java.lang.Thread.run(Unknown Source)
      Caused by: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified field java.lang.Class instance
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.rejectField(SandboxInterceptor.java:182)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:174)
          at org.kohsuke.groovy.sandbox.impl.Checker$4.call(Checker.java:153)
          at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:150)
          at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
          at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
          at Script1.run(Script1.groovy:1)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
          at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
          at hudson.matrix.FilterScript.apply(FilterScript.java:85)
          at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
          at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
          at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
          at hudson.matrix.MatrixProject.submit(MatrixProject.java:887)
          at hudson.model.Job.doConfigSubmit(Job.java:1188)
          at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:785)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
          at java.lang.reflect.Method.invoke(Unknown Source)
          at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
          at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
          at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
          at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
          ... 71 more
      

      And from file "jenkins.err.log", the logs from that action:

      Oct 26, 2015 4:43:39 PM org.kohsuke.stapler.RequestImpl$TypePair convertJSON
      WARNING: 'stapler-class' is deprecated: hudson.tasks.LogRotator
      Oct 26, 2015 4:43:39 PM hudson.model.AbstractProject submit
      WARNING: label assignment is using legacy 'customWorkspace.directory'
      Oct 26, 2015 4:43:40 PM org.kohsuke.stapler.RequestImpl$TypePair convertJSON
      WARNING: 'stapler-class' is deprecated: hudson.matrix.TextAxis
      Oct 26, 2015 4:43:40 PM org.kohsuke.stapler.RequestImpl$TypePair convertJSON
      WARNING: 'stapler-class' is deprecated: hudson.matrix.TextAxis
      Oct 26, 2015 4:43:40 PM org.kohsuke.stapler.RequestImpl$TypePair convertJSON
      WARNING: 'stapler-class' is deprecated: hudson.tasks.Shell
      Oct 26, 2015 4:43:40 PM org.eclipse.jetty.util.log.JavaUtilLog warn
      WARNING: Error while serving https://ci.test.garmin.com/job/CCI-Adm-Darrel-play_Matrix/configSubmit
      java.lang.reflect.InvocationTargetException
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
          at java.lang.reflect.Method.invoke(Unknown Source)
          at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
          at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
          at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
          at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
          at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:249)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
          at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
          at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
          at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:198)
          at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:176)
          at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:85)
          at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:99)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
          at hudson.plugins.audit_trail.AuditTrailFilter.doFilter(AuditTrailFilter.java:95)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
          at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
          at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
          at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
          at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
          at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
          at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
          at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
          at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
          at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
          at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
          at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
          at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
          at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
          at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
          at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
          at org.eclipse.jetty.server.Server.handle(Server.java:370)
          at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
          at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
          at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
          at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
          at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
          at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
          at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
          at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
          at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
          at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
          at java.lang.Thread.run(Unknown Source)
      Caused by: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified field java.lang.Class instance
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.rejectField(SandboxInterceptor.java:182)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:174)
          at org.kohsuke.groovy.sandbox.impl.Checker$4.call(Checker.java:153)
          at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:150)
          at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
          at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:177)
          at Script1.run(Script1.groovy:1)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
          at hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
          at hudson.matrix.FilterScript.apply(FilterScript.java:85)
          at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
          at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
          at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
          at hudson.matrix.MatrixProject.submit(MatrixProject.java:887)
          at hudson.model.Job.doConfigSubmit(Job.java:1188)
          at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:785)
          ... 81 more
      

      Further Investigation: Here are a few other actions and results that I tried:

      • I upgraded Security Script plugin to version 1.15 Result: the same exception occurred.
      • Put (index%2 == 1) in the Combination Filter, and click "Save". Result: no exception is thrown.
      • Put Calendar.instance.get(Calendar.DAY_OF_MONTH) in the Combination Filter, and click "Save". Result: an exception is thrown.
      • Go to "Manage Jenkins" > "Script Console", enter print Calendar.instance.get(Calendar.DAY_OF_MONTH), and click button "Run". Result: The day of the month is printed at the bottom of the screen.

      This leads me to conclude that the syntax is still valid and that the Calendar portion is the problem.

      History: This problem started occurring upon upgrading of 51 our 77 plugins. Immediately after the restart for upgrading the plugins, this job refused to load. We recovered it from the raw XML file and triaged it to this problem report via educated trial and error. I've attached a text file that describes which plugins were upgraded, including their old and new versions.

      Thanks in advance for addressing my problem report!

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Use .getInstance() rather than .instance as a workaround. You will still need to whitelist some fields and methods in Manage Jenkins » In-Process Script Approval but after that it should work.

            Show
            jglick Jesse Glick added a comment - Use .getInstance() rather than .instance as a workaround. You will still need to whitelist some fields and methods in Manage Jenkins » In-Process Script Approval but after that it should work.
            Hide
            darrelvun Darrel Vuncannon added a comment -

            The advised work around in fact works, but it took 2 failed attempts and 2 trips to "in process script approvals" to get it to work.

            Jesse: thank you for the workaround instructions! There really should be a more graceful way to make this change than getting these exceptions.

            Darrel's Details

            I verified the syntax beforehand in Script Console:

            Here's my config change attempt:

            Upon clicking save, the resulting exception started:

            javax.servlet.ServletException: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.util.Calendar getInstance
                at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796)
                at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
            

            I went to "Manage Jenkins" > "In process Script Approval" and clicked button "Approve".

            I repeated the test cycle, getting a exception with

            javax.servlet.ServletException: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.util.Calendar get int
            

            Again, "Manage Jenkins" > "In process Script Approval" and click button "Approve".

            This time, the config loaded (as shown by read-only configuration plugin)!

            Show
            darrelvun Darrel Vuncannon added a comment - The advised work around in fact works, but it took 2 failed attempts and 2 trips to "in process script approvals" to get it to work. Jesse: thank you for the workaround instructions! There really should be a more graceful way to make this change than getting these exceptions. Darrel's Details I verified the syntax beforehand in Script Console: Here's my config change attempt: Upon clicking save, the resulting exception started: javax.servlet.ServletException: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.util.Calendar getInstance at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876) I went to "Manage Jenkins" > "In process Script Approval" and clicked button "Approve". I repeated the test cycle, getting a exception with javax.servlet.ServletException: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.util.Calendar get int Again, "Manage Jenkins" > "In process Script Approval" and click button "Approve". This time, the config loaded (as shown by read-only configuration plugin)!
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
            http://jenkins-ci.org/commit/script-security-plugin/c3212ef18c78a905796b0b0ca1eb6c4b262ea289
            Log:
            [FIXED JENKINS-31234] Groovy allows Singleton.instance as an alias for Singleton.getInstance().

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java http://jenkins-ci.org/commit/script-security-plugin/c3212ef18c78a905796b0b0ca1eb6c4b262ea289 Log: [FIXED JENKINS-31234] Groovy allows Singleton.instance as an alias for Singleton.getInstance().
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
            http://jenkins-ci.org/commit/script-security-plugin/805b99cbea4eaedd64821f5f625ec4317037b354
            Log:
            Merge pull request #31 from jglick/static-getter-JENKINS-31234

            JENKINS-31234 Support Singleton.instance syntax

            Compare: https://github.com/jenkinsci/script-security-plugin/compare/e61d09361e22...805b99cbea4e

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java http://jenkins-ci.org/commit/script-security-plugin/805b99cbea4eaedd64821f5f625ec4317037b354 Log: Merge pull request #31 from jglick/static-getter- JENKINS-31234 JENKINS-31234 Support Singleton.instance syntax Compare: https://github.com/jenkinsci/script-security-plugin/compare/e61d09361e22...805b99cbea4e
            Hide
            jglick Jesse Glick added a comment -

            The current UI is nonexistent, just the quickest thing that worked to solve SECURITY-125. Would be an RFE in matrix-project-plugin to provide an easier to preview filter changes including potential script security violations.

            Show
            jglick Jesse Glick added a comment - The current UI is nonexistent, just the quickest thing that worked to solve SECURITY-125. Would be an RFE in matrix-project-plugin to provide an easier to preview filter changes including potential script security violations.
            Hide
            darrelvun Darrel Vuncannon added a comment -

            Jesse: Thanks for your work around and the fix that I see you committed. As far as I'm concerned, this ticket may be closed.

            I don't plan to pursue the RFE for matrix-project-plugin, because I don't think my company makes changes there often enough to warrant my time.

            Thanks again!

            Show
            darrelvun Darrel Vuncannon added a comment - Jesse: Thanks for your work around and the fix that I see you committed. As far as I'm concerned, this ticket may be closed. I don't plan to pursue the RFE for matrix-project-plugin, because I don't think my company makes changes there often enough to warrant my time. Thanks again!
            Hide
            jglick Jesse Glick added a comment -

            Yes, the fix was to a broad class of singleton idioms that had apparently not gotten tested before; and I also whitelisted the Calendar members used in this example.

            Show
            jglick Jesse Glick added a comment - Yes, the fix was to a broad class of singleton idioms that had apparently not gotten tested before; and I also whitelisted the Calendar members used in this example.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                darrelvun Darrel Vuncannon
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: