Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49597

Scripts not permitted to use staticMethod <Serializable object>

    Details

    • Similar Issues:

      Description

      The following code works well on Pipeline: Supporting APIs v 2.17 but stoped working after upgrading to 2.18:

      class Emails implements Serializable {
      public final static List<String> TEAM_FOO = [NO_REPLY, NO_REPLY2]
      public final static String NO_REPLY = "no-reply@example.com"
      public final static String NO_REPLY2 = "no-reply@example.com"
      }
      timestamps {{{ node('master') {
       def emails = Emails.TEAM_FOO}
       }
      }

      Exception is:

      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticField Emails NO_REPLY
      at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticField(StaticWhitelist.java:199)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$14.reject(SandboxInterceptor.java:372)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381)
      at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284)
      at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288)
      at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
      at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
      at Emails.<clinit>(WorkflowScript:5)
       

      It can be partially fixed by whitelisting following signatures: 

      public final static String NO_REPLY

      public final static String NO_REPLY2 

      etc...

       

      The problem is there are LOTS of such constants in real code, that makes difficult to whitelist em all.

        Attachments

          Issue Links

            Activity

            Hide
            abayer Andrew Bayer added a comment -

            Looks like this would probably be related to SECURITY-699 - Jesse Glick, any thoughts?

            Show
            abayer Andrew Bayer added a comment - Looks like this would probably be related to SECURITY-699 - Jesse Glick , any thoughts?
            Hide
            t_richter Tobias Richter added a comment - - edited

            We are also experiencing this issue.

            Steps to reproduce:

            1. Create a folder and add a folder library definition for https://github.com/wcm-io-devops/jenkins-pipeline-library with version master and name "pipelineLibrary"
            2. Create a new Pipeline Job inside this folder with
              1. src: https://github.com/wcm-io-devops/jenkins-pipeline-library.git
              2. Script Path: jenkinsfiles/integration-tests.groovy
            3. Run the Job

            Output:

            
            org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel TRACE
             at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticField(StaticWhitelist.java:199)
             at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$14.reject(SandboxInterceptor.java:372)
             at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381)
             at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284)
             at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288)
             at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
             at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
             at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
             at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
             at io.wcm.devops.jenkins.pipeline.utils.logging.Logger.<clinit>(Logger.groovy:47)
            
            

            Logger Class: https://github.com/wcm-io-devops/jenkins-pipeline-library/blob/master/src/io/wcm/devops/jenkins/pipeline/utils/logging/LogLevel.groovy

            From my point of view it should be possible to access static fields of Pipeline Library Classes.

            Show
            t_richter Tobias Richter added a comment - - edited We are also experiencing this issue. Steps to reproduce: Create a folder and add a folder library definition for  https://github.com/wcm-io-devops/jenkins-pipeline-library  with version master and name "pipelineLibrary" Create a new Pipeline Job inside this folder with src:  https://github.com/wcm-io-devops/jenkins-pipeline-library.git Script Path: jenkinsfiles/integration-tests.groovy Run the Job Output: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel TRACE at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticField(StaticWhitelist.java:199) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$14.reject(SandboxInterceptor.java:372) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381) at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284) at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288) at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230) at io.wcm.devops.jenkins.pipeline.utils.logging.Logger.<clinit>(Logger.groovy:47) Logger Class: https://github.com/wcm-io-devops/jenkins-pipeline-library/blob/master/src/io/wcm/devops/jenkins/pipeline/utils/logging/LogLevel.groovy From my point of view it should be possible to access static fields of Pipeline Library Classes.
            Hide
            bpfh Sami Lempinen added a comment -

            We have been bitten by this also, as a result of an upgrade yesterday.

            Our Jenkinsfiles and libraries utilise the static field access extensively. Our only option seems to be to either downgrade or disable script security altogether.

            Show
            bpfh Sami Lempinen added a comment - We have been bitten by this also, as a result of an upgrade yesterday. Our Jenkinsfiles and libraries utilise the static field access extensively. Our only option seems to be to either downgrade or disable script security altogether.

              People

              • Assignee:
                Unassigned
                Reporter:
                berestoff veniamin b
              • Votes:
                4 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated: