Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42524

Don't blacklist GStringImpl from XStream serialization

    Details

    • Similar Issues:

      Description

      So I wanted to discuss this, in case there's a good reason for rejecting org.codehaus.groovy.runtime.GStringImpl specifically. We're currently blacklisting org.codehaus.groovy.runtime.* in hudson.remoting.ClassFilter.DEFAULT and that can cause hassles, so I thought it was worth discussion.

        Attachments

          Issue Links

            Activity

            Hide
            strml Samuel Reed added a comment -

            This is causing us issues as of the latest update on an unmodified Jenkinsfile. I can't trace down what particular change caused it (it was a plugin or system update, not the Jenkinsfile itself).

             

            I was able to work around it by changing an option on the S3BucketPublisher (running it via step()) from:

             

            sourceFile: "${env.BRANCH_NAME}.jenkins.tar.gz"

             

            To:

             

            sourceFile: env.BRANCH_NAME + '.jenkins.tar.gz'

             

             

            That full step invocation with the fixed `sourceFile`:

            step([
             $class: 'S3BucketPublisher',
             consoleLogLevel: 'INFO',
             pluginFailureResultConstraint: 'FAILURE',
             dontWaitForConcurrentBuildCompletion: false,
             entries: [[bucket: 'dest', excludedFile: '', flatten: false, gzipFiles: false,
             managedArtifacts: false, noUploadOnFailure: true, selectedRegion: 'us-east-1',
             sourceFile: env.BRANCH_NAME + '.jenkins.tar.gz', storageClass: 'STANDARD', uploadFromSlave: false,
             useServerSideEncryption: true]],
             profileName: 's3',
             userMetadata: []
            ])

             

            The trace:

             

            java.lang.RuntimeException: Failed to serialize org.jenkinsci.plugins.workflow.support.storage.SimpleXStreamFlowNodeStorage$Tag#actions for class org.jenkinsci.plugins.workflow.support.storage.SimpleXStreamFlowNodeStorage$Tag at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:171) at org.jenkinsci.plugins.workflow.support.storage.SimpleXStreamFlowNodeStorage.saveActions(SimpleXStreamFlowNodeStorage.java:111) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.saveActions(CpsFlowExecution.java:918) at org.jenkinsci.plugins.workflow.graph.FlowNode.save(FlowNode.java:380) at org.jenkinsci.plugins.workflow.graph.FlowNode.persistSafe(FlowNode.java:386) at org.jenkinsci.plugins.workflow.graph.FlowNode.access$100(FlowNode.java:61) at org.jenkinsci.plugins.workflow.graph.FlowNode$1.add(FlowNode.java:346) at org.jenkinsci.plugins.workflow.graph.FlowNode$1.add(FlowNode.java:336) at java.util.AbstractList.add(AbstractList.java:108) at hudson.model.Actionable.addAction(Actionable.java:152) at org.jenkinsci.plugins.workflow.job.WorkflowRun$GraphL.onNewHead(WorkflowRun.java:897) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.notifyListeners(CpsFlowExecution.java:1110) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$3.run(CpsThreadGroup.java:402) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:35) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: Failed to serialize org.jenkinsci.plugins.workflow.cps.actions.ArgumentsActionImpl#arguments for class org.jenkinsci.plugins.workflow.cps.actions.ArgumentsActionImpl at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.ArrayConverter.marshal(ArrayConverter.java:45) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 33 more Caused by: java.lang.UnsupportedOperationException: Refusing to marshal org.codehaus.groovy.runtime.GStringImpl for security reasons at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:449) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.MapConverter.marshal(MapConverter.java:79) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.MapConverter.marshal(MapConverter.java:79) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.MapConverter.marshal(MapConverter.java:79) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 48 more

             

            Show
            strml Samuel Reed added a comment - This is causing us issues as of the latest update on an unmodified Jenkinsfile. I can't trace down what particular change caused it (it was a plugin or system update, not the Jenkinsfile itself).   I was able to work around it by changing an option on the S3BucketPublisher (running it via step()) from:   sourceFile: "${env.BRANCH_NAME}.jenkins.tar.gz"   To:   sourceFile: env.BRANCH_NAME + '.jenkins.tar.gz'     That full step invocation with the fixed `sourceFile`: step([ $class: 'S3BucketPublisher' , consoleLogLevel: 'INFO' , pluginFailureResultConstraint: 'FAILURE' , dontWaitForConcurrentBuildCompletion: false , entries: [[bucket: 'dest' , excludedFile: '', flatten: false , gzipFiles: false , managedArtifacts: false , noUploadOnFailure: true , selectedRegion: 'us-east-1' , sourceFile: env.BRANCH_NAME + '.jenkins.tar.gz' , storageClass: 'STANDARD' , uploadFromSlave: false , useServerSideEncryption: true ]], profileName: 's3' , userMetadata: [] ])   The trace:   java.lang.RuntimeException: Failed to serialize org.jenkinsci.plugins.workflow.support.storage.SimpleXStreamFlowNodeStorage$Tag#actions for class org.jenkinsci.plugins.workflow.support.storage.SimpleXStreamFlowNodeStorage$Tag at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:171) at org.jenkinsci.plugins.workflow.support.storage.SimpleXStreamFlowNodeStorage.saveActions(SimpleXStreamFlowNodeStorage.java:111) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.saveActions(CpsFlowExecution.java:918) at org.jenkinsci.plugins.workflow.graph.FlowNode.save(FlowNode.java:380) at org.jenkinsci.plugins.workflow.graph.FlowNode.persistSafe(FlowNode.java:386) at org.jenkinsci.plugins.workflow.graph.FlowNode.access$100(FlowNode.java:61) at org.jenkinsci.plugins.workflow.graph.FlowNode$1.add(FlowNode.java:346) at org.jenkinsci.plugins.workflow.graph.FlowNode$1.add(FlowNode.java:336) at java.util.AbstractList.add(AbstractList.java:108) at hudson.model.Actionable.addAction(Actionable.java:152) at org.jenkinsci.plugins.workflow.job.WorkflowRun$GraphL.onNewHead(WorkflowRun.java:897) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.notifyListeners(CpsFlowExecution.java:1110) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$3.run(CpsThreadGroup.java:402) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:35) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang. Thread .run( Thread .java:748) Caused by: java.lang.RuntimeException: Failed to serialize org.jenkinsci.plugins.workflow.cps.actions.ArgumentsActionImpl#arguments for class org.jenkinsci.plugins.workflow.cps.actions.ArgumentsActionImpl at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.ArrayConverter.marshal(ArrayConverter.java:45) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 33 more Caused by: java.lang.UnsupportedOperationException: Refusing to marshal org.codehaus.groovy.runtime.GStringImpl for security reasons at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:449) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.MapConverter.marshal(MapConverter.java:79) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.MapConverter.marshal(MapConverter.java:79) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.MapConverter.marshal(MapConverter.java:79) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 48 more  
            Hide
            jglick Jesse Glick added a comment -
            Show
            jglick Jesse Glick added a comment - Samuel Reed see  JENKINS-43934 .
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Andrew Bayer The ticket has the Remoting label, but from I see there is only request for XStream.
            Or do we need both?

            Show
            oleg_nenashev Oleg Nenashev added a comment - Andrew Bayer The ticket has the Remoting label, but from I see there is only request for XStream. Or do we need both?
            Hide
            oleg_nenashev Oleg Nenashev added a comment -
            Show
            oleg_nenashev Oleg Nenashev added a comment - Andrew Bayer ping
            Hide
            abayer Andrew Bayer added a comment -

            Probably just XStream, yeah.

            Show
            abayer Andrew Bayer added a comment - Probably just XStream, yeah.
            Hide
            jglick Jesse Glick added a comment -

            Any attempt to save a GString in XML (or, not shown here, pass it over Remoting) should be treated as a plugin bug.

            Show
            jglick Jesse Glick added a comment - Any attempt to save a GString in XML (or, not shown here, pass it over Remoting) should be treated as a plugin bug.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            I agree. JEP-200 will punish users of this class, I'd guess

            Show
            oleg_nenashev Oleg Nenashev added a comment - I agree. JEP-200 will punish users of this class, I'd guess
            Hide
            antonyz Antony Zhong added a comment -

            I was one of customers being punished by JEP-200 too. Interestingly I have found a workaround like below. Basically, it seems to work fine when converting into String explicitly within the script.

             

            def retList = []
            for (String s in aFunctionReturnsAGStringList()) {
               retList << s
            }
            retList
            

             

            Show
            antonyz Antony Zhong added a comment - I was one of customers being punished by JEP-200 too. Interestingly I have found a workaround like below. Basically, it seems to work fine when converting into String explicitly within the script.   def retList = [] for (String s in aFunctionReturnsAGStringList()) { retList << s } retList  
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            yes, any conversion does the job

            Show
            oleg_nenashev Oleg Nenashev added a comment - yes, any conversion does the job

              People

              • Assignee:
                Unassigned
                Reporter:
                abayer Andrew Bayer
              • Votes:
                3 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: