Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47159

Check for varargs in script-security plugin fails

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.46, script-security-plugin 1.35-SNAPSHOT
    • Similar Issues:

      Description

      This is my script (not a pipeline  - just system groovy script):

      params = [new StringParameterValue ('GIT_PUSH_USER','builder'), new StringParameterValue ("SHA1",'9df4d51934c3f39663c5dbc1e08c09775b45c61f'),
      , new BooleanParameterValue('TEST_ONLY_CHANGED',false)]

      parmAction = new ParametersAction(params)

       

      Causes failure with:

      org.codehaus.groovy.runtime.typehandling.GroovyCastException
      : Cannot cast object '[(StringParameterValue) GIT_PUSH_USER='builder', (StringParameterValue) SHA1='9df4d51934c3f39663c5dbc1e08c09775b45c61f' (BooleanParameterValue) TEST_ONLY_CHANGED='false']' with class 'java.util.ArrayList' to class 'hudson.model.ParameterValue' due to: groovy.lang.GroovyRuntimeException: Could not find matching constructor for: hudson.model.ParameterValue(hudson.model.StringParameterValue, hudson.model.StringParameterValue,hudson.model.BooleanParameterValue)
      at
      org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnSAM(DefaultTypeTransformation.java:403)
      at
      org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnNumber(DefaultTypeTransformation.java:319)
      at
      org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToType(DefaultTypeTransformation.java:232)
      at
      org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToVargsArray(DefaultTypeTransformation.java:881)
      at
      org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:103)
      at
      org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:52)
      at
      org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.constructor(GroovyCallSiteSelector.java:164)
      at
      org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:142)
      at
      org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:195)
      at
      org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:200)
      at org.kohsuke.groovy.sandbox.impl.Checker$checkedConstructor.callStatic(Unknown Source)
      at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:214)
      at Script1.run(Script1.groovy:13)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:165)
      at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
      at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
      at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779)
      at hudson.model.Build$BuildExecution.build(Build.java:205)
      at hudson.model.Build$BuildExecution.doRun(Build.java:162)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
      at hudson.model.Run.execute(Run.java:1741)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:98)
      at hudson.model.Executor.run(Executor.java:410)

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Andrew Bayer
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelectorTest.java
            http://jenkins-ci.org/commit/script-security-plugin/fdf28858e4309f4e094b30bde47c10e9b5889f6e
            Log:
            [FIXED JENKINS-47159] Set proper vargs location

            We shouldn't be starting looking for vargs until we've got to the
            index of the last parameter type and that last parameter type is an
            array. So...tada.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelectorTest.java http://jenkins-ci.org/commit/script-security-plugin/fdf28858e4309f4e094b30bde47c10e9b5889f6e Log: [FIXED JENKINS-47159] Set proper vargs location We shouldn't be starting looking for vargs until we've got to the index of the last parameter type and that last parameter type is an array. So...tada.
            Hide
            tro Tomáš Rohrbacher added a comment - - edited

            I can confirm that this bug is in script-security-plugin v.1.26 as well as 1.29.1 running on Jenkins v. 1.651.3.

             

            Code:

            def PARAM = "param"
            build.addAction(new ParametersAction(
             new StringParameterValue('PARAM', PARAM)
            ));
            

            as well as:

            build.addAction(new ParametersAction(
                new StringParameterValue("param1", param1),
                new StringParameterValue("param2", param2),
            ));

             

            yields following error:
            ERROR: Build step failed with exception
            java.lang.IllegalArgumentException
            : array element type mismatch
            at java.lang.reflect.Array.set(Native Method)
            at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:102)
            at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:49)
            at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.constructor(GroovyCallSiteSelector.java:162)
            at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:124)
            at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:191)
            at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:188)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedConstructor.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:169)
            at Script1.run(Script1.groovy:48)
            at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
            at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:163)
            at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
            at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
            at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
            at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:782)
            at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:945)
            at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:683)
            at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
            at hudson.model.Run.execute(Run.java:1738)
            at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:410)
            Build step 'Execute system Groovy script' marked build as failure
             

            Workaround

            I am attempting to overcome this issue by calling the only constructor that is not overloaded – the two parameter ParametersAction(List<ParameterValue> parameters, Collection<String> additionalSafeParameters) constructor.

            ParameterValue[] params = [
            		new StringParameterValue("param1", param1),
            		new StringParameterValue("param2", param2),
            ]
            String [] safeParams = []
            // XXX because of JENKINS-47159
            build.addAction (new ParametersAction(params, safeParams));
            

             

            I think that this is a severe issue for all of the Jenkins users that use Groovy scripting.
            Hell, this usage is even written in the first example on the official jenkins-groovy-plugin page.

            Show
            tro Tomáš Rohrbacher added a comment - - edited I can confirm that this bug is in script-security-plugin v.1.26 as well as 1.29.1 running on Jenkins v. 1.651.3.   Code: def PARAM = "param" build.addAction( new ParametersAction( new StringParameterValue( 'PARAM' , PARAM) )); as well as: build.addAction( new ParametersAction(     new StringParameterValue( "param1" , param1),     new StringParameterValue( "param2" , param2), ));   yields following error: ERROR: Build step failed with exception java.lang.IllegalArgumentException : array element type mismatch at java.lang.reflect.Array.set(Native Method) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:102) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:49) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.constructor(GroovyCallSiteSelector.java:162) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:124) at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:191) at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:188) at org.kohsuke.groovy.sandbox.impl.Checker$checkedConstructor.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:169) at Script1.run(Script1.groovy:48) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:163) at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95) at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:782) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:945) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:683) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534) at hudson.model.Run.execute(Run.java:1738) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410) Build step 'Execute system Groovy script' marked build as failure   Workaround I am attempting to overcome this issue by calling the only constructor that is not overloaded – the two parameter ParametersAction( List<ParameterValue> parameters, Collection<String> additionalSafeParameters ) constructor. ParameterValue[] params = [ new StringParameterValue( "param1" , param1), new StringParameterValue( "param2" , param2), ] String [] safeParams = [] // XXX because of JENKINS-47159 build.addAction ( new ParametersAction(params, safeParams));   I think that this is a severe issue for all of the Jenkins users that use Groovy scripting. Hell, this usage is even written in the first example on the official jenkins-groovy-plugin page .
            Hide
            antweiss Anton Weiss added a comment -

            Yes, I did. 

            this is happening in an unreleased version and is caused by a fix introduced for JENKINS-44557

            So not really a duplicate.

            Show
            antweiss Anton Weiss added a comment - Yes, I did.  this is happening in an unreleased version and is caused by a fix introduced for  JENKINS-44557 So not really a duplicate.
            Hide
            jglick Jesse Glick added a comment -

            Have you checked the open issues in this component for duplicates?

            Show
            jglick Jesse Glick added a comment - Have you checked the open issues in this component for duplicates?
            Hide
            antweiss Anton Weiss added a comment -

            Yep,

            there's an issue.

            In the following script:

            def t = Hudson.instance.getJob("test")
            params = [new BooleanParameterValue ('FLAG',true)]
            parmAction = new ParametersAction(params)
            future = t.scheduleBuild2(0, new Cause.UpstreamCause(build), parmAction)
            

            I'm getting:

            org.codehaus.groovy.runtime.typehandling.GroovyCastException
            : Cannot cast object 'job/check/59[hudson.model.Cause$UserIdCause@1f]' with class 'hudson.model.Cause$UpstreamCause' to class 'hudson.model.Action'
            at
            org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnSAM(DefaultTypeTransformation.java:405)
            at
            org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnNumber(DefaultTypeTransformation.java:319)
            at
            org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToType(DefaultTypeTransformation.java:232)
            at
            org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToVargsArray(DefaultTypeTransformation.java:881)
            at
            org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:103)
            at
            org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:51)
            at
            org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.findMatchingMethod(GroovyCallSiteSelector.java:195)
            at
            org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.method(GroovyCallSiteSelector.java:146)
            at
            org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:87)
            at
            org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:153)
            at
            org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:157)
            at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
            at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
            at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
            at Script1.run(Script1.groovy:14)
             

            Because we should be passing in the varargs position (fixedLen) and not the arrayLength

             

             

            Show
            antweiss Anton Weiss added a comment - Yep, there's an issue. In the following script: def t = Hudson.instance.getJob( "test" ) params = [ new BooleanParameterValue ( 'FLAG' , true )] parmAction = new ParametersAction(params) future = t.scheduleBuild2(0, new Cause.UpstreamCause(build), parmAction) I'm getting: org.codehaus.groovy.runtime.typehandling.GroovyCastException : Cannot cast object 'job/check/59 [hudson.model.Cause$UserIdCause@1f] ' with class 'hudson.model.Cause$UpstreamCause' to class 'hudson.model.Action' at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnSAM(DefaultTypeTransformation.java:405) at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.continueCastOnNumber(DefaultTypeTransformation.java:319) at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToType(DefaultTypeTransformation.java:232) at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToVargsArray(DefaultTypeTransformation.java:881) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.parametersForVarargs(GroovyCallSiteSelector.java:103) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.matches(GroovyCallSiteSelector.java:51) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.findMatchingMethod(GroovyCallSiteSelector.java:195) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.method(GroovyCallSiteSelector.java:146) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:87) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:153) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:157) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at Script1.run(Script1.groovy:14)   Because we should be passing in the varargs position (fixedLen) and not the arrayLength    

              People

              • Assignee:
                abayer Andrew Bayer
                Reporter:
                antweiss Anton Weiss
              • Votes:
                3 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: