[JENKINS-34638] org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Random - Jenkins JIRA

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Critical
Resolution: Incomplete
Component/s: pipeline
Labels:
- Jenkinsfie
- Pipeline
- git
- java.util.Random
- pipeline
- random
Environment:
Jenkins ver. 2.0

Similar Issues:

Show

Description

Works fine when run using Piepline script however when using Pipeline script from SCM, it breaks.

[Pipeline] End of Pipeline
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Random
at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:167)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:116)
at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:191)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:188)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.constructorCall(SandboxInvoker.java:19)
at WorkflowScript.run(WorkflowScript:39)
at __cps.transform__(Native Method)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:93)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixName(FunctionCallBlock.java:74)
at sun.reflect.GeneratedMethodAccessor582.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
at com.cloudbees.groovy.cps.Next.step(Next.java:58)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:277)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:77)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:186)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:184)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE

Attachments

Activity

Ascending order - Click to sort in descending order

6 older comments

Hide

Permalink

Anudeep Lalam added a comment - 2016-11-29 05:59

Hi Sasha Shkolnik,

My Jenkins Master is a Linux Host. I found scriptApproval.xml under /var/lib/jenkins. My issue got resolved once I edited the xml to include staticMethod java.lang.Math round java.math.BigDecimal and restart Jenkins.

Show

Anudeep Lalam added a comment - 2016-11-29 05:59 Hi Sasha Shkolnik , My Jenkins Master is a Linux Host. I found scriptApproval.xml under /var/lib/jenkins . My issue got resolved once I edited the xml to include staticMethod java.lang.Math round java.math.BigDecimal and restart Jenkins.

Hide

Permalink

Sasha Shkolnik added a comment - 2016-11-29 07:07

Hmm, when I add "method java.lang.UNIXProcess consumeProcessOutput java.lang.StringBuilder" to my scriptApproval.xml file, Jenkins just ignores it and give the error back again. When I add "unclassified method java.lang.UNIXProcess consumeProcessOutput java.lang.StringBuilder" to an xml file, Jenkins pretend the whole list is not there and gives an error about another method call, that is already on the list....

Show

Sasha Shkolnik added a comment - 2016-11-29 07:07 Hmm, when I add "method java.lang.UNIXProcess consumeProcessOutput java.lang.StringBuilder" to my scriptApproval.xml file, Jenkins just ignores it and give the error back again. When I add "unclassified method java.lang.UNIXProcess consumeProcessOutput java.lang.StringBuilder" to an xml file, Jenkins pretend the whole list is not there and gives an error about another method call, that is already on the list....

Hide

Permalink

Jesse Glick added a comment - 2016-12-05 22:26

Missing entries are not a bug, though PRs to add them to the default whitelist are welcome.

Any error including the unclassified text indicates a product bug. Please file separately in script-security-plugin with complete steps to reproduce from scratch.

Show

Jesse Glick added a comment - 2016-12-05 22:26 Missing entries are not a bug, though PRs to add them to the default whitelist are welcome. Any error including the unclassified text indicates a product bug. Please file separately in script-security-plugin with complete steps to reproduce from scratch.

Hide

Permalink

Philip O'Gorman added a comment - 2017-05-30 15:51

I have the following error:

Error: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.io.File java.lang.String

I tried to update my scriptApproval.xml file as follows, but I don't see anything in the approvals page:

<?xml version='1.0' encoding='UTF-8'?>
<scriptApproval plugin="script-security@1.27">
 
    <approvedScriptHashes/>
 
    <approvedSignatures>
        <string>method java.io.File java.lang.String</string>
    <approvedSignatures/>
 
    <aclApprovedSignatures/>
 
        <approvedClasspathEntries/>
 
        <pendingScripts/>
 
        <pendingSignatures/>
 
        <pendingClasspathEntries/>

        </scriptApproval>

What I am doing wrong?

Show

Philip O'Gorman added a comment - 2017-05-30 15:51 I have the following error: Error: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.io.File java.lang. String I tried to update my scriptApproval.xm l file as follows, but I don't see anything in the approvals page: <?xml version= '1.0' encoding= 'UTF-8' ?> <scriptApproval plugin= "script-security@1.27" > <approvedScriptHashes/> <approvedSignatures> <string>method java.io.File java.lang. String </string> <approvedSignatures/> <aclApprovedSignatures/> <approvedClasspathEntries/> <pendingScripts/> <pendingSignatures/> <pendingClasspathEntries/> </scriptApproval> What I am doing wrong?

Hide

Permalink

Jesse Glick added a comment - 2017-05-30 16:48

Philip O'Gorman

new java.io.File java.lang.String is explicitly blacklisted, for a reason, so if you think you need it, you are doing something wrong (use the users’ list please)
updating scriptApproval.xml directly only works after a restart anyway

Show

Jesse Glick added a comment - 2017-05-30 16:48 Philip O'Gorman new java.io.File java.lang.String is explicitly blacklisted, for a reason, so if you think you need it, you are doing something wrong (use the users’ list please) updating scriptApproval.xml directly only works after a restart anyway

People

Assignee:

Unassigned

Reporter:

Ashudeep Budhiraja

Votes:

0 Vote for this issue

Watchers:

7 Start watching this issue

Dates

Created:

2016-05-06 06:35

Updated:

2017-05-30 16:48

Resolved:

2016-12-05 22:26