Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56682

Unable to use initializers in sandboxed Groovy scripts

    XMLWordPrintable

    Details

    • Similar Issues:
    • Released As:
      script-security 1.61, workflow-cps 2.71

      Description

      Since workflow-cps 2.64/script-security 1.54, fields defined on the class for the script itself using @Field annotations or explicit class syntax, and static and instance initializer blocks for the script itself that reference other fields in the script, are rejected by the Groovy sandbox. This issue also affects the use of classes from shared libraries in initializers in Groovy scripts.

      Original reported case:

      The following pipeline works fine in 2.63:

      import groovy.transform.Field
      @Field final SOMETHING='bar'
      @Field final MY_CONSTANT="foo $SOMETHING"
      node() {
        do_stuff()
      }
      def do_stuff() {
        sh "echo $MY_CONSTANT"
      }
      

      With workflow-cps 2.64, this gives the following exception:

      Groovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding
         at groovy.lang.Binding.getVariable(Binding.java:58)
         at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264)
         at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
         at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
         at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
         at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
         at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
         at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
         at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
         at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442)
         at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434)
      Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason
         at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466)
         at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135)
         at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136)
         at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132)
         at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127)
         at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560)
         at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521)
         at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320)
         at hudson.model.ResourceController.execute(ResourceController.java:97)
         at hudson.model.Executor.run(Executor.java:429)
      Finished: FAILURE
      

        Attachments

          Activity

          Hide
          t_richter Tobias Richter added a comment -

          I can confirm this issue with the mentioned versions. We downgraded script-security to 1.53 and workflow-cps to 2.63 to solve this issue.

          Show
          t_richter Tobias Richter added a comment - I can confirm this issue with the mentioned versions. We downgraded script-security to 1.53 and workflow-cps to 2.63 to solve this issue.
          Hide
          dnusbaum Devin Nusbaum added a comment -

          I ran into this issue via a report from a customer. Here is a PR that I think will help: https://github.com/jenkinsci/script-security-plugin/pull/259. Still need to understand the scope of what was broken by SECURITY-1336.

          Show
          dnusbaum Devin Nusbaum added a comment - I ran into this issue via a report from a customer. Here is a PR that I think will help:  https://github.com/jenkinsci/script-security-plugin/pull/259 . Still need to understand the scope of what was broken by SECURITY-1336.
          Hide
          dnusbaum Devin Nusbaum added a comment -

          A fix for this issue in Pipeline scripts was released in Pipeline: Groovy Plugin version 2.71. A fix for this issue in other kinds of sandboxed Groovy scripts was released in Script Security Plugin 1.61.

          Show
          dnusbaum Devin Nusbaum added a comment - A fix for this issue in Pipeline scripts was released in Pipeline: Groovy Plugin version 2.71. A fix for this issue in other kinds of sandboxed Groovy scripts was released in Script Security Plugin 1.61.

            People

            • Assignee:
              dnusbaum Devin Nusbaum
              Reporter:
              typz Francois Ferrand
            • Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: