Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-57171

Permissive script security plugin is broken after updating to script security 1.58

    Details

    • Similar Issues:
    • Released As:
      0.5

      Description

      After updating to Script Security 1.58 permissive script security no longer permits unsafe method calls.  I have -Dpermissive-script-security.enabled=no_security set up in the java args, and before upgrading to 1.58 I was receiving no warnings/errors when calling unsafe methods as expected. After upgrading I see many warnings in my pipeline log, such as:

      Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.

       

        Attachments

          Issue Links

            Activity

            Hide
            olivergondza Oliver Gondža added a comment - - edited

            Alright, it turned out the changes in 1.58 uncovered a conceptual problem in the plugin. I have just release 0.5 with the new unsafe signature detection reworked.

            https://github.com/jenkinsci/permissive-script-security-plugin/commit/7458ae4d1363a95d78fb8212460b4056f4b205ee

            Show
            olivergondza Oliver Gondža added a comment - - edited Alright, it turned out the changes in 1.58 uncovered a conceptual problem in the plugin. I have just release 0.5 with the new unsafe signature detection reworked. https://github.com/jenkinsci/permissive-script-security-plugin/commit/7458ae4d1363a95d78fb8212460b4056f4b205ee
            Hide
            brianeray Brian Ray added a comment -

            0.5 seems to clear up the issue in my local test Jenkins now with permissive-script-security.enabled=true. We'll try 0.5 in production soon.

            Thank you Oliver Gondža.

            Show
            brianeray Brian Ray added a comment - 0.5 seems to clear up the issue in my local test Jenkins now with permissive-script-security.enabled=true . We'll try 0.5 in production soon. Thank you Oliver Gondža .
            Hide
            xavier X O added a comment -

            Hi,

            yes 0.5 fixes this issue but it generates another one: instead seeing the Pipeline script from SCM (SCM/Git) for the pipeline definition in the configure page according to what is written the config.xml of a pipeline job, we see pipeline script with an empty script.
            It's impossible to view it in the GUI. Interestingly, the correct configuration is used.
            Reverting to 0.3 fix this behavior but of course lead to the current issue.

            BTW, the current issue seems only cosmetic, isn't it? There is no real need for an admin to enable the use of the "unsecured" methods. At least my pipelines do what they are suppose to do?!

            We have a lot of plugins but here are some details of what is used:
            Jenkins: 2.179
            Script Security 1.60
            Permissive Script Security 0.3 or 0.5
            Pipeline Groovy 2.70
            Git 3.10.0

            Thanks

            Show
            xavier X O added a comment - Hi, yes 0.5 fixes this issue but it generates another one: instead seeing the Pipeline script from SCM (SCM/Git) for the pipeline definition in the configure page according to what is written the config.xml of a pipeline job, we see pipeline script with an empty script. It's impossible to view it in the GUI. Interestingly, the correct configuration is used. Reverting to 0.3 fix this behavior but of course lead to the current issue. BTW, the current issue seems only cosmetic, isn't it? There is no real need for an admin to enable the use of the "unsecured" methods. At least my pipelines do what they are suppose to do?! We have a lot of plugins but here are some details of what is used: Jenkins: 2.179 Script Security 1.60 Permissive Script Security 0.3 or 0.5 Pipeline Groovy 2.70 Git 3.10.0 Thanks
            Hide
            shen3lu4 Lu Shen added a comment -

            We recently did an upgrade on Jenkins and plugins. The "permissive-script-security.enabled=true" setting used to allow scripts to be run in the pipeline but not any more after the upgrade.

            Jenkins log file would log issues like: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.security.MessageDigest getInstance java.lang.String and the scripts comes into "In-process script approval".

            Version info:

            Jenkins: 2.164.3
            Script Security 1.62
            Permissive Script Security 0.5
            Pipeline Groovy 2.73

            Show
            shen3lu4 Lu Shen added a comment - We recently did an upgrade on Jenkins and plugins. The "permissive-script-security.enabled=true" setting used to allow scripts to be run in the pipeline but not any more after the upgrade. Jenkins log file would log issues like: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.security.MessageDigest getInstance java.lang.String and the scripts comes into "In-process script approval". Version info: Jenkins: 2.164.3 Script Security 1.62 Permissive Script Security 0.5 Pipeline Groovy 2.73
            Hide
            olivergondza Oliver Gondža added a comment -

            Lu Shen, you are commenting on a once resolved issue. File a new one instead.

            Show
            olivergondza Oliver Gondža added a comment - Lu Shen , you are commenting on a once resolved issue. File a new one instead.

              People

              • Assignee:
                olivergondza Oliver Gondža
                Reporter:
                gabloe Gabriel Loewen
              • Votes:
                9 Vote for this issue
                Watchers:
                17 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: