Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34973

RejectedAccessException thrown but no pending script approval added

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When using

      new GetMethod(url)

      from

      import org.apache.commons.httpclient.HttpClient
      import org.apache.commons.httpclient.methods.GetMethod

      directly in a Workflow script pasted into the UI, everything works as expected.

      When the script is loaded with the file loader plugin during the Workflow script, the following error occurs:

      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new org.apache.commons.httpclient.methods.GetMethod java.lang.String

      No pending script approval is generated.

        Attachments

          Issue Links

            Activity

            Hide
            reinholdfuereder Reinhold Füreder added a comment -

            Show
            reinholdfuereder Reinhold Füreder added a comment -
            Hide
            jglick Jesse Glick added a comment -

            Possibly I could just make ScriptApproval.accessRejected be automatic at the throw site

            Actually I cannot—there is no ApprovalContext. Therefore I consider this purely a bug in workflow-cps. Unclear if there is only one mechanism by which this problem might occur, or several.

            Show
            jglick Jesse Glick added a comment - Possibly I could just make ScriptApproval.accessRejected be automatic at the throw site Actually I cannot—there is no ApprovalContext . Therefore I consider this purely a bug in workflow-cps . Unclear if there is only one mechanism by which this problem might occur, or several.
            Hide
            jglick Jesse Glick added a comment -

            …though if GroovySandbox had an API to set a thread-local ApprovalContext, to be used from StaticWhitelist.blacklist, then SandboxContinuable could pass this rather than inspecting the Outcome, probably increasing reliability.

            Show
            jglick Jesse Glick added a comment - …though if GroovySandbox had an API to set a thread-local ApprovalContext , to be used from StaticWhitelist.blacklist , then SandboxContinuable could pass this rather than inspecting the Outcome , probably increasing reliability.
            Hide
            svanoort Sam Van Oort added a comment -

            Andrew Bayer Could you please TAL?

            Show
            svanoort Sam Van Oort added a comment - Andrew Bayer Could you please TAL?
            Hide
            abayer Andrew Bayer added a comment -

            Only thing that comes to mind at first glance is maybe having SandboxContinuable#findRejectedAccessException actually traverse the flow graph looking for a RejectedAccessException anywhere? Though I guess that wouldn't actually show up there if it's caught, which is the whole problem here.

            Show
            abayer Andrew Bayer added a comment - Only thing that comes to mind at first glance is maybe having SandboxContinuable#findRejectedAccessException actually traverse the flow graph looking for a RejectedAccessException anywhere? Though I guess that wouldn't actually show up there if it's caught, which is the whole problem here.

              People

              • Assignee:
                abayer Andrew Bayer
                Reporter:
                tobilarscheid Tobias Larscheid
              • Votes:
                10 Vote for this issue
                Watchers:
                27 Start watching this issue

                Dates

                • Created:
                  Updated: