Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50470

Cannot evaluate ArrayList.name inside Groovy Sandbox

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.89.x
      Script Security 1.39 & 1.43
    • Similar Issues:

      Description

      Steps to reproduce:

      1. Create a freestyle job
      2. Add "Execute system Groovy script" build step
      3. Add content (see below)
      4. Run build with "Use Groovy Sandbox" enabled.
      5. Run without "Use Groovy Sandbox" enabled

      Script content:

      def someArrayList = []
      
      println someArrayList.name
      

      This works with Sandbox disabled. When enabled, the following exception is thrown:

      ERROR: Build step failed with exception
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such field found: field java.util.ArrayList name
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:397)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381)
      	at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
      	at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
      	at Script1.run(Script1.groovy:3)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:333)
      	at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
      	at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
      	at hudson.model.Build$BuildExecution.build(Build.java:206)
      	at hudson.model.Build$BuildExecution.doRun(Build.java:163)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
      	at hudson.model.Run.execute(Run.java:1724)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:97)
      	at hudson.model.Executor.run(Executor.java:429)
      Build step 'Execute system Groovy script' marked build as failure
      Finished: FAILURE
      

      It looks like, outside the sandbox, groovy evaluates

      someArrayList.name
      

      to

      someArrayList.collect { it.name } 
      

      but inside the sandbox, this doesn't happen.

      Feedback from Andrew:

      fwiw, it's https://github.com/apache/groovy/blob/eedc6bfcd134749e7d76b05031dfbd914cec2d6e/src/main/org/codehaus/groovy/runtime/DefaultGroovyMethods.java#L7855 we need to somehow handle - we have to check the contents of the list to see if the objects in there can have that field accessed.

      The workaround currently is to change to using:

      someArrayList.collect { it.name }
      

      when using the sandbox.

        Attachments

          Activity

          Hide
          abayer Andrew Bayer added a comment -

          Will be in next release of script-security, presumably 1.44.

          Show
          abayer Andrew Bayer added a comment - Will be in next release of script-security, presumably 1.44.
          Hide
          varju Alex Varju added a comment -

          I'm seeing very similar behaviour with 1.44.  In my freestyle job I've got this Groovy:

          def someList = [1, 2, 3]
          println someList.size
          

          When the sandbox is enabled, this ends up throwing:

          RejectedAccessException: No such field found: field java.lang.Integer size
          

          Changing the list to contain strings changes the error to:

          RejectedAccessException: No such field found: field java.lang.String size
          
          Show
          varju Alex Varju added a comment - I'm seeing very similar behaviour with 1.44.  In my freestyle job I've got this Groovy: def someList = [1, 2, 3] println someList.size When the sandbox is enabled, this ends up throwing: RejectedAccessException: No such field found: field java.lang.Integer size Changing the list to contain strings changes the error to: RejectedAccessException: No such field found: field java.lang.String size
          Hide
          mmicu__ Marco Moikl added a comment -

          Alex Varju, did you solve the issue? I have your same problem.

          Show
          mmicu__ Marco Moikl added a comment - Alex Varju , did you solve the issue? I have your same problem.
          Hide
          varju Alex Varju added a comment - - edited

          Unfortunately, no. In the case above, I had to refactor my code to use someList.size()

          Since commenting previously, I've encountered at least one other example of a similar failure:

          def tuple = new Tuple2( 'a', 'b' )
          println tuple.first
          

          Which results in:

          RejectedAccessException: No such field found: field java.lang.String first
          

          And again, changing tuple.first to tuple.getFirst() works around the issue.

          Show
          varju Alex Varju added a comment - - edited Unfortunately, no. In the case above, I had to refactor my code to use someList.size() Since commenting previously, I've encountered at least one other example of a similar failure: def tuple = new Tuple2( 'a', 'b' ) println tuple.first Which results in: RejectedAccessException: No such field found: field java.lang.String first And again, changing tuple.first to tuple.getFirst() works around the issue.
          Hide
          dburmistrov Dmitry Burmistrov added a comment -

          I faced the same issue at 1.44

           

          println 'test,value'.tokenize(',').size
          
          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such field found: field java.lang.String size
          

          It works with 1.42. Workaround is to use `size()` instead

           

          Show
          dburmistrov Dmitry Burmistrov added a comment - I faced the same issue at 1.44   println 'test,value' .tokenize( ',' ).size org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such field found: field java.lang. String size It works with 1.42. Workaround is to use `size()` instead  

            People

            • Assignee:
              abayer Andrew Bayer
              Reporter:
              owood Owen Wood
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: