Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46213

Varargs call to sprintf() from static field throws MissingMethodException after plugins upgrade

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
      None
    • Environment:
    • Sprint:
      Pipeline - December
    • Similar Issues:

      Description

      After upgrading my local dev Jenkins instance core and plugins, calling sprintf() with varargs from the initial value of a static field throws the following exception. (Running in sandbox mode.):

      hudson.remoting.ProxyException: groovy.lang.MissingMethodException: No signature of method: java.lang.Class.sprintf() is applicable for argument types: (java.lang.String, java.lang.String, java.lang.String) values: [Hello all you %s out there in %s, developers, the Jenkins World]
      Possible solutions: sprintf(java.lang.String, java.lang.Object), sprintf(java.lang.String, [Ljava.lang.Object;), printf(java.lang.String, [Ljava.lang.Object;), printf(java.lang.String, java.lang.Object), println(), print(java.io.PrintWriter)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:121)
      	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:153)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:157)
      	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$2.callStatic(Unknown Source)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      	at ConstantsBoom.<clinit>(WorkflowScript:26)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
      	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
      	at groovy.lang.MetaClassImpl.getProperty(MetaClassImpl.java:1855)
      	at groovy.lang.MetaClassImpl.getProperty(MetaClassImpl.java:3758)
      	at org.codehaus.groovy.runtime.InvokerHelper.getProperty(InvokerHelper.java:177)
      	at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.getProperty(ScriptBytecodeAdapter.java:456)
      	at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284)
      	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onGetProperty(GroovyInterceptor.java:68)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:334)
      	at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:282)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:286)
      	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
      	at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
      Caused: hudson.remoting.ProxyException: java.lang.ExceptionInInitializerError
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
      	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
      	at groovy.lang.MetaClassImpl.getProperty(MetaClassImpl.java:1855)
      	at groovy.lang.MetaClassImpl.getProperty(MetaClassImpl.java:3758)
      	at org.codehaus.groovy.runtime.InvokerHelper.getProperty(InvokerHelper.java:177)
      	at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.getProperty(ScriptBytecodeAdapter.java:456)
      	at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284)
      	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onGetProperty(GroovyInterceptor.java:68)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:334)
      	at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:282)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:286)
      	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
      	at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
      	at WorkflowScript.run(WorkflowScript:48)
      	at ___cps.transform___(Native Method)
      	at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
      	at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
      	at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:66)
      	at sun.reflect.GeneratedMethodAccessor365.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
      	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
      	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:173)
      	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:162)
      	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122)
      	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261)
      	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:162)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32)
      	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:330)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:82)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:242)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:230)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
      	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:748)
      

      A script to reproduce, along with a few control tests that do not throw the exception, is:

      class ConstantsControl {
        static HOWDY_FOLKS_FMT = 'Good day %s wherever you are in %s'
        
        //two args; last presumably autocasted to Object[]
        static HOWDY_INDUSTRIOUS_ENGINEERS = sprintf(
          HOWDY_FOLKS_FMT,
          [
            'engineers',
            'the world',
          ],
        )
      
        //3 args; variadic call String, Object...; last autocasted to Object[]
        String greeting = sprintf(
          HOWDY_FOLKS_FMT,
          'friends',
          'CI land',
        )
      }
      
      class ConstantsBoom {
        static HOWDY_FOLKS_FMT = 'Hello all you %s out there in %s'
        
        //MissingMethodException as below
        static HOWDY_JENKINS_DEVS = sprintf(
          HOWDY_FOLKS_FMT,
          'developers',
          'the Jenkins World',
        )
      }
      
      //Production: script-security 1.29 + workflow-cps 2.36
      //Local: script-security 1.31 + workflow-cps 2.39
      //
      //(control tests); no exceptions in either Jenkins instance
      echo ConstantsControl.HOWDY_INDUSTRIOUS_ENGINEERS
      
      cc = new ConstantsControl()
      echo cc.greeting
      
      //Production: script-security 1.29 + workflow-cps 2.36
      //no exception
      //
      //Local: script-security 1.31 + workflow-cps 2.39
      //hudson.remoting.ProxyException: groovy.lang.MissingMethodException: No 
      //signature of method: java.lang.Class.sprintf() is applicable for argument 
      //types: (java.lang.String, java.lang.String, java.lang.String) ...
      echo ConstantsBoom.HOWDY_JENKINS_DEVS
      

      As noted in the comments the variadic call in the static field works fine in the older production instance, and the variadic call in the instance field works fine in both instances. Plus there's the workaround of passing an ArrayList. The <clinit> context makes me wonder if this is similar to the recent issues with static initializers and final fields, but that's just a guess.

        Attachments

          Issue Links

            Activity

            Hide
            abayer Andrew Bayer added a comment -

            So: three months later, picking this up again. re uncapitalize(), as of Script Security 1.36, I'm getting

            org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.StringGroovyMethods uncapitalize java.lang.CharSequence
            

            Which is what I'd expect - it's not whitelisted, so...yeah.

            But regarding the original - that just gets weirder. I'm getting the following in the control case, for the instance field greeting:

            org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (ConstantsControl sprintf java.lang.String java.lang.String java.lang.String)
            	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:180)
            	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:135)
            	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:120)
            	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:153)
            	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:157)
            	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$1.callStatic(Unknown Source)
            	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            	at ConstantsControl.<init>(WorkflowScript:15)
            	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
            	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
            	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
            	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
            	at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:83)
            	at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105)
            	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:60)
            	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:235)
            	at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:198)
            	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onNewInstance(GroovyInterceptor.java:42)
            	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:146)
            	at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:195)
            	at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:200)
            	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.constructorCall(SandboxInvoker.java:21)
            	at WorkflowScript.run(WorkflowScript:38)
            ...
            

            If I comment out the initialization of ConstantsControl and echoing of cc.greeting, I get the original error on the static field. So...guh.

            Show
            abayer Andrew Bayer added a comment - So: three months later, picking this up again. re uncapitalize() , as of Script Security 1.36, I'm getting org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.StringGroovyMethods uncapitalize java.lang.CharSequence Which is what I'd expect - it's not whitelisted, so...yeah. But regarding the original - that just gets weirder. I'm getting the following in the control case, for the instance field greeting : org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang. String java.lang. Object (ConstantsControl sprintf java.lang. String java.lang. String java.lang. String ) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:180) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:135) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:120) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:153) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:157) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$1.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at ConstantsControl.<init>(WorkflowScript:15) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:83) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:60) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:235) at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:198) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onNewInstance(GroovyInterceptor.java:42) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:146) at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:195) at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:200) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.constructorCall(SandboxInvoker.java:21) at WorkflowScript.run(WorkflowScript:38) ... If I comment out the initialization of ConstantsControl and echoing of cc.greeting , I get the original error on the static field. So...guh.
            Hide
            abayer Andrew Bayer added a comment -

            Ok, script-security PR up at https://github.com/jenkinsci/script-security-plugin/pull/171 that fixes this. woo!

            Show
            abayer Andrew Bayer added a comment - Ok, script-security PR up at https://github.com/jenkinsci/script-security-plugin/pull/171 that fixes this. woo!
            Hide
            brianeray Brian Ray added a comment -

            Woo! indeed. Thanks.

            And I just retried the uncapitalize() method again on my local Jenkins. It behaved just like you found. After I whitelisted it, it worked fine.

            Show
            brianeray Brian Ray added a comment - Woo! indeed. Thanks. And I just retried the uncapitalize() method again on my local Jenkins. It behaved just like you found. After I whitelisted it, it worked fine.
            Hide
            abayer Andrew Bayer added a comment -

            In 1.38, releasing shortly.

            Show
            abayer Andrew Bayer added a comment - In 1.38, releasing shortly.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Andrew Bayer
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
            http://jenkins-ci.org/commit/script-security-plugin/66a5ea87fc2ebfe48063dc0ee9d11d737621009d
            Log:
            [FIXED JENKINS-46213] Treat trailing array params as varargs

            Groovy's method lookup logic will treat `sprintf(fmt, "string", "other
            string")` the same as `sprintf(fmt, ["string", "other string"])`. We
            should emulate that.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java http://jenkins-ci.org/commit/script-security-plugin/66a5ea87fc2ebfe48063dc0ee9d11d737621009d Log: [FIXED JENKINS-46213] Treat trailing array params as varargs Groovy's method lookup logic will treat `sprintf(fmt, "string", "other string")` the same as `sprintf(fmt, ["string", "other string"] )`. We should emulate that.

              People

              • Assignee:
                abayer Andrew Bayer
                Reporter:
                brianeray Brian Ray
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: