Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46088

unclassified staticMethod when assigning java.util.regex.Matcher in included script

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.60.2 .war on Ubuntu
      Script Security Plugin 1.31
      Groovy Plugin 2.0
    • Similar Issues:

      Description

      Steps to reproduce:

      Run Jenkins 2.60.2 with latest Script Security Plugin (1.31). Create a freestyle job that runs a system groovy script from a script file /tmp/minimal.groovy (!, bug does not appear if the script is defined in the job itself).

      Sample job config.xml is attached.

      Contents of /tmp/minimal.groovy :

      java.util.regex.Matcher m = "asdf" =~ /(a)/
      

      Run the job.

      Observed result

      ERROR: Build step failed with exception
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified staticMethod org.kohsuke.groovy.sandbox.impl.Checker checkedStaticCall java.lang.Class java.lang.String java.lang.String java.lang.String
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:146)
      	at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:184)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:188)
      	at org.kohsuke.groovy.sandbox.impl.Checker$checkedStaticCall$1.callStatic(Unknown Source)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:222)
      	at Script1.run(Script1.groovy:1)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:165)
      	at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
      	at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:735)
      	at hudson.model.Build$BuildExecution.build(Build.java:206)
      	at hudson.model.Build$BuildExecution.doRun(Build.java:163)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:490)
      	at hudson.model.Run.execute(Run.java:1735)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:97)
      	at hudson.model.Executor.run(Executor.java:405)
      

      Expected result

      Script runs without error.

      Known mitigations

      Changing the script to:

      def m = "asdf" =~ /(a)/
      

      That is, removing the explicit type declaration solves the problem.

      Also, copying the script into the job definition doesn't trigger the error.

      Priority

      Since the explicit type declaration is not idiomatic usage anyways and the workaround is simple, I don't think it's highly important but would like to understand why this fails in any case.

        Attachments

          Issue Links

            Activity

            schoeneu Urs Schoenenberger created issue -
            abayer Andrew Bayer made changes -
            Field Original Value New Value
            Priority Minor [ 4 ] Critical [ 2 ]
            abayer Andrew Bayer made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            abayer Andrew Bayer made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            abayer Andrew Bayer made changes -
            Remote Link This issue links to "groovy-sandbox PR #37 (Web Link)" [ 17434 ]
            abayer Andrew Bayer made changes -
            Assignee Andrew Bayer [ abayer ]
            abayer Andrew Bayer made changes -
            Remote Link This issue links to "script-security PR #139 (Web Link)" [ 17435 ]
            jglick Jesse Glick made changes -
            Link This issue relates to SECURITY-580 [ SECURITY-580 ]
            abayer Andrew Bayer made changes -
            Priority Critical [ 2 ] Blocker [ 1 ]
            abayer Andrew Bayer made changes -
            Status In Review [ 10005 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            abayer Andrew Bayer made changes -
            Link This issue is duplicated by JENKINS-46195 [ JENKINS-46195 ]

              People

              • Assignee:
                abayer Andrew Bayer
                Reporter:
                schoeneu Urs Schoenenberger
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: