Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49788

ConcurrentLinkedQueue is missing from whitelisted-classes.txt

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Environment:
      Jenkins v 2.109

      java version "1.8.0_161"
      Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
      Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
    • Similar Issues:

      Description

      We make use of the ConcurrentLinkedQueue class, and which is not white-listed like other concurrent collections are. The unmarshalling and marshalling of the field fails with the following error:

      Feb 28, 2018 9:08:22 AM WARNING jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
      java.util.concurrent.ConcurrentLinkedQueue in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

      java.lang.UnsupportedOperationException: Refusing to marshal java.util.concurrent.ConcurrentLinkedQueue for security reasons; see https://jenkins.io/redirect/class-filter/
          at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
          at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
          at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
          at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
          at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
          at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Carl-Frederik Hallberg
          Path:
          core/src/main/resources/jenkins/security/whitelisted-classes.txt
          http://jenkins-ci.org/commit/jenkins/e5f61e29e260688d7d73339202c22ca199535018
          Log:
          JENKINS-49788 Added ConcurrentLinkedQueue to whitelisted classes. (#3315)

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Carl-Frederik Hallberg Path: core/src/main/resources/jenkins/security/whitelisted-classes.txt http://jenkins-ci.org/commit/jenkins/e5f61e29e260688d7d73339202c22ca199535018 Log: JENKINS-49788 Added ConcurrentLinkedQueue to whitelisted classes. (#3315)
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Added lts-candidate so that we consider that for 2.107.x.

          FTR I do not see affected plugins in Jenkins org: https://github.com/search?p=1&q=org%3Ajenkinsci+ConcurrentLinkedQueue&type=Code . But it is still reasonable since other collections are whitelisted, and the issue may potentially impact other plugin not hosted in the Jenkins UC.

          Show
          oleg_nenashev Oleg Nenashev added a comment - Added lts-candidate so that we consider that for 2.107.x. FTR I do not see affected plugins in Jenkins org: https://github.com/search?p=1&q=org%3Ajenkinsci+ConcurrentLinkedQueue&type=Code . But it is still reasonable since other collections are whitelisted, and the issue may potentially impact other plugin not hosted in the Jenkins UC.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          The fix has been integrated towards 2.110. It has not been included to 2.107.1 release candidate, but it will likely land in 2.107.2

          Show
          oleg_nenashev Oleg Nenashev added a comment - The fix has been integrated towards 2.110. It has not been included to 2.107.1 release candidate, but it will likely land in 2.107.2
          Hide
          tfiskgul Carl-Frederik Hallberg added a comment -

          Great, thanks =)

          Show
          tfiskgul Carl-Frederik Hallberg added a comment - Great, thanks =)
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Carl-Frederik Hallberg
          Path:
          core/src/main/resources/jenkins/security/whitelisted-classes.txt
          http://jenkins-ci.org/commit/jenkins/e43f90b256914fb091a7718d34985ef543833768
          Log:
          JENKINS-49788 Added ConcurrentLinkedQueue to whitelisted classes. (#3315)

          (cherry picked from commit e5f61e29e260688d7d73339202c22ca199535018)

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Carl-Frederik Hallberg Path: core/src/main/resources/jenkins/security/whitelisted-classes.txt http://jenkins-ci.org/commit/jenkins/e43f90b256914fb091a7718d34985ef543833768 Log: JENKINS-49788 Added ConcurrentLinkedQueue to whitelisted classes. (#3315) (cherry picked from commit e5f61e29e260688d7d73339202c22ca199535018)

            People

            • Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              tfiskgul Carl-Frederik Hallberg
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: