Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50463

JEP-200: UnsupportedOperationException: Refusing to marshal net.sf.json.JSONObject for security reasons

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Persisting the global consul plugin configuration to disk isn't working.

      Looks to be broken by[ https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc|JEP-200: Switch Remoting/XStream blacklist to a whitelist].

      Jenkins server log:

      WARNING Failed to save /var/jenkins_home/com.inneractive.jenkins.plugins.consul.configurations.ConsulGlobalConfigurations.xml
      java.io.IOException: java.lang.RuntimeException: Failed to serialize com.inneractive.jenkins.plugins.consul.configurations.ConsulGlobalConfigurations$DescriptorImpl#configurationsList for class com.inneractive.jenkins.plugins.consul.configurations.ConsulGlobalConfigurations$DescriptorImpl
      ...
      Caused by: java.lang.UnsupportedOperationException: Refusing to marshal net.sf.json.JSONObject for security reasons; see https://jenkins.io/redirect/class-filter/
      at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
      at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
      at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
      at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
      ... 107 more

        Attachments

          Activity

          Hide
          entelo_ops Fred Vogt added a comment -

          lioz nudel in my case this isn't an adaption blocker for us.

          We configure plugin global config at Jenkins startup using groovy hook scripts.

          Show
          entelo_ops Fred Vogt added a comment - lioz nudel in my case this isn't an adaption blocker for us. We configure plugin global config at Jenkins startup using groovy hook scripts.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          So it fails here: https://github.com/jenkinsci/consul-plugin/blob/b2e9843866b79e76d5ab4a16701384d141ea5452/src/main/java/com/inneractive/jenkins/plugins/consul/configurations/ConsulGlobalConfigurations.java#L22
          I confirm the issue, and it will require a complicated fix in order to have a data migration from previous instances (Jenkins 2.102+ will just refuse to load the config since JSONObject is blacklisted). OTOH a partial fix like JENKINS-50303 could be applied (data migration happens only for pre-JEP-200 instances)

          The plugin has less than 100 installations, and I doubt JEP-200 maintainers will have capacity to work on it soon. A fix similar to https://github.com/jenkinsci/mesos-plugin/commit/f305f0a3b9b401ab4ed2b44a798757668a1e41a8 can be implemented, in the worst case JSON can be just stored as string.

          Show
          oleg_nenashev Oleg Nenashev added a comment - So it fails here: https://github.com/jenkinsci/consul-plugin/blob/b2e9843866b79e76d5ab4a16701384d141ea5452/src/main/java/com/inneractive/jenkins/plugins/consul/configurations/ConsulGlobalConfigurations.java#L22 I confirm the issue, and it will require a complicated fix in order to have a data migration from previous instances (Jenkins 2.102+ will just refuse to load the config since JSONObject is blacklisted). OTOH a partial fix like JENKINS-50303 could be applied (data migration happens only for pre-JEP-200 instances) The plugin has less than 100 installations, and I doubt JEP-200 maintainers will have capacity to work on it soon. A fix similar to https://github.com/jenkinsci/mesos-plugin/commit/f305f0a3b9b401ab4ed2b44a798757668a1e41a8 can be implemented, in the worst case JSON can be just stored as string.

            People

            • Assignee:
              liozn lioz nudel
              Reporter:
              entelo_ops Fred Vogt
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: