Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46391

Neither ~/foo/ nor java.util.regex.Pattern.compile("foo") are whitelisted

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
      None
    • Environment:
      workflow-cps 2.39, script-security 1.33
    • Similar Issues:

      Description

      Outside the sandbox, the following will correctly echo java.util.regex.Pattern

      def f = ~/foo/
      echo f.class.toString()
      

      But when sandboxed, it barfs with RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object.

      This is distinct to CPS-transformed code - if that's in a @NonCPS method or any other non-CPS sandboxed code, it works fine. Somehow we're misidentifying the ~/foo/ in sandboxed CPS code.

      EDIT: Amending to include the fact that staticMethod java.util.regex.Pattern compile java.lang.String is not whitelisted. That should be fixed too.

        Attachments

          Issue Links

            Activity

            Hide
            abayer Andrew Bayer added a comment -

            Well, this is goofier than I thought. Turns out StringGroovyMethods.bitwiseNegate(String) actually returns a Pattern. Waaaaaat. So I guess this is simple enough to add to the whitelist.

            Show
            abayer Andrew Bayer added a comment - Well, this is goofier than I thought. Turns out StringGroovyMethods.bitwiseNegate(String) actually returns a Pattern . Waaaaaat. So I guess this is simple enough to add to the whitelist.
            Hide
            abayer Andrew Bayer added a comment -

            PRs up at script-security with the actual fix and workflow-cps verifying it.

            Show
            abayer Andrew Bayer added a comment - PRs up at script-security with the actual fix and workflow-cps verifying it.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Andrew Bayer
            Path:
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
            http://jenkins-ci.org/commit/script-security-plugin/3358ff52906ae83202e5b6c95a46eecdae0ee864
            Log:
            [FIXED JENKINS-46391] Fix ~/foo/ and whitelist other Pattern stuff

            CPS code ends up calling `~/foo/` as
            `ScriptBytecodeAdapter.bitwiseNegate(Object)`, so we need to whitelist
            that. Through whacky Groovy magic, that'll end up resulting in a call
            behind the scenes to
            `StringGroovyMethods.bitwiseNegate(CharSequence)`, which returns... a
            `Pattern`. Because of course it does. So tada.

            Also whitelisted `Pattern.compile(String)` and
            `Pattern#matcher(CharSequence)` since they seem worth whitelisting
            while we're doing `Pattern`-related stuff.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java http://jenkins-ci.org/commit/script-security-plugin/3358ff52906ae83202e5b6c95a46eecdae0ee864 Log: [FIXED JENKINS-46391] Fix ~/foo/ and whitelist other Pattern stuff CPS code ends up calling `~/foo/` as `ScriptBytecodeAdapter.bitwiseNegate(Object)`, so we need to whitelist that. Through whacky Groovy magic, that'll end up resulting in a call behind the scenes to `StringGroovyMethods.bitwiseNegate(CharSequence)`, which returns... a `Pattern`. Because of course it does. So tada. Also whitelisted `Pattern.compile(String)` and `Pattern#matcher(CharSequence)` since they seem worth whitelisting while we're doing `Pattern`-related stuff.
            Hide
            abayer Andrew Bayer added a comment -

            Merged - will be in next script-security release (1.34). Need to remember to update/merge https://github.com/jenkinsci/workflow-cps-plugin/pull/169 then too.

            Show
            abayer Andrew Bayer added a comment - Merged - will be in next script-security release (1.34). Need to remember to update/merge https://github.com/jenkinsci/workflow-cps-plugin/pull/169 then too.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Andrew Bayer
            Path:
            pom.xml
            src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java
            http://jenkins-ci.org/commit/workflow-cps-plugin/11a0698d35a6c3c7f6230a0e977dc5b3df3853d9
            Log:
            JENKINS-46391 Test verifying CPS-specific ~/foo/ behavior

            Downstream of https://github.com/jenkinsci/script-security-plugin/pull/146

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: pom.xml src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java http://jenkins-ci.org/commit/workflow-cps-plugin/11a0698d35a6c3c7f6230a0e977dc5b3df3853d9 Log: JENKINS-46391 Test verifying CPS-specific ~/foo/ behavior Downstream of https://github.com/jenkinsci/script-security-plugin/pull/146
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Andrew Bayer
            Path:
            src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java
            http://jenkins-ci.org/commit/workflow-cps-plugin/b8da29173f91a95973ecbfa63806940f465666ff
            Log:
            Merge pull request #169 from abayer/jenkins-46391

            JENKINS-46391 Test verifying CPS-specific ~/foo/ behavior

            Compare: https://github.com/jenkinsci/workflow-cps-plugin/compare/1c6e51ab0e13...b8da29173f91

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java http://jenkins-ci.org/commit/workflow-cps-plugin/b8da29173f91a95973ecbfa63806940f465666ff Log: Merge pull request #169 from abayer/jenkins-46391 JENKINS-46391 Test verifying CPS-specific ~/foo/ behavior Compare: https://github.com/jenkinsci/workflow-cps-plugin/compare/1c6e51ab0e13...b8da29173f91

              People

              • Assignee:
                abayer Andrew Bayer
                Reporter:
                abayer Andrew Bayer
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: