Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45778

readFileFromWorkspace Not Whitelisted for Script Security

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      On the Job DSL wiki (https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security) it states undr Groovy Sandboxing:

      "All Job DSL methods are whitelisted by default, but Jenkins access control checks are applied."

      However, when creating a freestyle job with the example from (https://jenkinsci.github.io/job-dsl-plugin/#path/javaposse.jobdsl.dsl.DslFactory.pipelineJob-definition-cps) as the DSL script, and running as an appropriately authorised user with sandboxing enabled, the following error message is displayed:

      ERROR: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (javaposse.jobdsl.dsl.helpers.workflow.CpsContext readFileFromWorkspace java.lang.String)

      The DSL for those interested:
      pipelineJob('example') {
      definition {
      cps {
      script(readFileFromWorkspace('project-a-workflow.groovy'))
      sandbox()
      }
      }
      }

        Attachments

          Activity

          Hide
          jk563 Jamie Kelly added a comment -

          I'm not sure if this is Minor or Major, feel free to adjust. My thought process behind choosing Major is that this issue stops the usage of Job DSL in a very general use case unless I click the button to approve the signature that has a red warning next to it saying not to approve it.

          Show
          jk563 Jamie Kelly added a comment - I'm not sure if this is Minor or Major, feel free to adjust. My thought process behind choosing Major is that this issue stops the usage of Job DSL in a very general use case unless I click the button to approve the signature that has a red warning next to it saying not to approve it.
          Hide
          daspilker Daniel Spilker added a comment -

          This is a problem with the Groovy and probably sandbox. The method is not defined in the inner scope (cps), so it's trying to do a dynamic method invocation. That fails due to sandbox restrictions. Normally the method would be searched in the outer scopes (and finally found in the most outer scope), but that's not happening due to the Sandbox exception.

          As a workaround you could move the call to the outer scope or for a method lookup on the outer scope:

          def pipelineScript = readFileFromWorkspace('project-a-workflow.groovy')
          
          pipelineJob('example') {
              definition {
                  cps {
                      script(pipelineScript)
                      sandbox()
                  }
              }
          }
          
          pipelineJob('example') {
              definition {
                  cps {
                      script(this.readFileFromWorkspace('project-a-workflow.groovy'))
                      sandbox()
                  }
              }
          }
          
          Show
          daspilker Daniel Spilker added a comment - This is a problem with the Groovy and probably sandbox. The method is not defined in the inner scope ( cps ), so it's trying to do a dynamic method invocation. That fails due to sandbox restrictions. Normally the method would be searched in the outer scopes (and finally found in the most outer scope), but that's not happening due to the Sandbox exception. As a workaround you could move the call to the outer scope or for a method lookup on the outer scope: def pipelineScript = readFileFromWorkspace( 'project-a-workflow.groovy' ) pipelineJob( 'example' ) { definition { cps { script(pipelineScript) sandbox() } } } pipelineJob( 'example' ) { definition { cps { script( this .readFileFromWorkspace( 'project-a-workflow.groovy' )) sandbox() } } }

            People

            • Assignee:
              Unassigned
              Reporter:
              jk563 Jamie Kelly
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: