Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52108

java.lang.UnsupportedOperationException: Refusing to marshal java.util.concurrent.atomic.AtomicInteger for security reasons; see https://jenkins.io/redirect/class-filter/

    Details

    • Similar Issues:

      Description

      I have used the code from https://github.com/jenkinsci/cloudbees-disk-usage-simple-plugin and modified it such that admin privileges are no longer needed to view the disk usage statistics. Whith the recent upgrade of Jenkins core I get:

      java.lang.UnsupportedOperationException: Refusing to marshal java.util.concurrent.atomic.AtomicInteger for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize com.cloudbees.simplediskusage.QuickDiskUsagePlugin#progress for class com.cloudbees.simplediskusage.QuickDiskUsagePlugin at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) Caused: java.io.IOException at hudson.XmlFile.write(XmlFile.java:200) at hudson.Plugin.save(Plugin.java:274) at com.cloudbees.simplediskusage.QuickDiskUsagePlugin$2.run(QuickDiskUsagePlugin.java:292) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

      Interestingly, the Cloubee-plugin from the repo itself does not show the problem, maybe the sourcecode visible is not the one used?

      Jenkins version now (from config.xml): 2.128

      (Sorry, if the mandatory component doesn't fit. I am not knowledgeable in the internal structure of components here.)

       

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          No, it does not violate security in implementations I know.

          The problem with AtomicInteger is that the serialized footprint in XML is pretty big && it may depend on the JVM (e.g. it may include extra classes like lock queue, etc.). So there is no universal way to whitelist it.

          Show
          oleg_nenashev Oleg Nenashev added a comment - No, it does not violate security in implementations I know. The problem with AtomicInteger is that the serialized footprint in XML is pretty big && it may depend on the JVM (e.g. it may include extra classes like lock queue, etc.). So there is no universal way to whitelist it.
          Hide
          jungmi Michael Jung added a comment -

          You could probably write your own de-/serializer, since everything besides the value is irrelevant, but I get your point.

          How was it handled when you had a black- instead of a whitelist?

          Show
          jungmi Michael Jung added a comment - You could probably write your own de-/serializer, since everything besides the value is irrelevant, but I get your point. How was it handled when you had a black- instead of a whitelist?
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          > How was it handled when you had a black- instead of a whitelist?

          It was permitted

          Show
          oleg_nenashev Oleg Nenashev added a comment - > How was it handled when you had a black- instead of a whitelist? It was permitted
          Hide
          jungmi Michael Jung added a comment -

          I meant the "it may depend on the JVM" part. You simply had all potential auxillary classes serialized?

          Show
          jungmi Michael Jung added a comment - I meant the "it may depend on the JVM" part. You simply had all potential auxillary classes serialized?
          Hide
          jungmi Michael Jung added a comment -

          The proposed change ("transient") worked for me, so ticket can be closed as far as I am concerned. Maybe Yoann Dubreuil or Nicolas De Loof want to keep it open to have a tag for a new release.

          Show
          jungmi Michael Jung added a comment - The proposed change ("transient") worked for me, so ticket can be closed as far as I am concerned. Maybe Yoann Dubreuil  or Nicolas De Loof want to keep it open to have a tag for a new release.

            People

            • Assignee:
              Unassigned
              Reporter:
              jungmi Michael Jung
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: