Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43844

No way to configure classpath for groovy script files

    Details

    • Similar Issues:

      Description

      Since the update to Groovy-Plugin 2.0, the edit field for specifying a classpath is missing in the build step "Execute system groovy script" when running a groovy script file. 

      I do understand, why you removed this feature (security), but now my scripts don't work any more, because they don't find the imported groovy classes any more. 

      Is there a better way for achieving a similiar functionality like specifying a classpath? Or is it possible to specify it in another way? Or do I have to change my scripts? If it is the latter one: how do I have to change them without adding new security risks?

      In case there is no recommended solution or a workaround, we have to downgrade the Groovy-Plugin.

       

        Attachments

          Activity

          hardy Hardy Koebe created issue -
          Hide
          dkruger_viavi David Kruger added a comment -

          We have the same problem here, since we split our code into multiple groovy classes in separate files in order to re-use them across scripts.

          Show
          dkruger_viavi David Kruger added a comment - We have the same problem here, since we split our code into multiple groovy classes in separate files in order to re-use them across scripts.
          Hide
          andreasmandel Andreas Mandel added a comment -

          After some digging, actually we found a workaround, leveraging some groovy magic. I hope this is not again considered as a security flaw.

          def workspace = build.properties.get('envVars').get('WORKSPACE');
          def cl = new GroovyClassLoader(this.class.classLoader);
          cl.addURL(new File("${workspace}/").toURL()); // whatever path you need to add
          def shell = new GroovyShell(cl, getBinding());
          def myScript = shell.parse(new File("${workspace}/StaticBuildJobAnalysis.groovy")); // whatever your script is
          myScript.run();
          
          Show
          andreasmandel Andreas Mandel added a comment - After some digging, actually we found a workaround, leveraging some groovy magic. I hope this is not again considered as a security flaw. def workspace = build.properties.get( 'envVars' ).get( 'WORKSPACE' ); def cl = new GroovyClassLoader( this . class. classLoader); cl.addURL( new File( "${workspace}/" ).toURL()); // whatever path you need to add def shell = new GroovyShell(cl, getBinding()); def myScript = shell.parse( new File( "${workspace}/StaticBuildJobAnalysis.groovy" )); // whatever your script is myScript.run();
          Hide
          dkruger_viavi David Kruger added a comment -

          Thanks that works for me. It is doing exactly what the developers of the Script Security Plugin don't want, but I think it's the only way for now.

          https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin

          Whatever you choose, do not allow an unprivileged user to add arbitrary classpath entries by making a URLClassLoader! This would make it trivial to bypass all security when using the sandbox.

          Show
          dkruger_viavi David Kruger added a comment - Thanks that works for me. It is doing exactly what the developers of the Script Security Plugin don't want, but I think it's the only way for now. https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin Whatever you choose, do not allow an unprivileged user to add arbitrary classpath entries by making a URLClassLoader ! This would make it trivial to bypass all security when using the sandbox.
          Hide
          andreasmandel Andreas Mandel added a comment -

          Sure, but that is what we need to get the scripts working again - I do not expect that this works without a script approval - if it is not added by an admin - so everything should be fine?

          Show
          andreasmandel Andreas Mandel added a comment - Sure, but that is what we need to get the scripts working again - I do not expect that this works without a script approval - if it is not added by an admin - so everything should be fine?

            People

            • Assignee:
              vjuranek vjuranek
              Reporter:
              hardy Hardy Koebe
            • Votes:
              5 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: