Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58894

whitelist entry for java.lang.CharSequence does not match a java.lang.String object

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: script-security-plugin
    • Labels:
      None
    • Environment:
      jenkins 2.189 on java 1.8 with script-security 1.62
    • Similar Issues:

      Description

      The generic whitelist has various methods on java.lang.CharSequence in place, for example:

      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isAllWhitespace java.lang.CharSequence
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isDouble java.lang.CharSequence
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isFloat java.lang.CharSequence
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isInteger java.lang.CharSequence
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isLong java.lang.CharSequence
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods minus java.lang.CharSequence java.lang.Object
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods minus java.lang.CharSequence java.util.regex.Pattern
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods multiply java.lang.CharSequence java.lang.Number
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods normalize java.lang.CharSequence
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods padLeft java.lang.CharSequence java.lang.Number
      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods padLeft java.lang.CharSequence java.lang.Number java.lang.CharSequence 

      However these do not match a string being passed in, even though java.lang.String implements java.lang.CharSequence.

      A really simple testcase:

      stage("test normalize") {
        def foo = "thing goes here"
        if (foo instanceof java.lang.CharSequence ) {
          println foo
          println foo.normalize()
        }
      } 

      This results in a sandbox exception of:

      [Pipeline] stage
      [Pipeline] { (test normalize)
      [Pipeline] echo
      thing goes here
      Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods normalize java.lang.String. Administrators can decide whether to approve or reject this signature.
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] End of Pipeline
      [Bitbucket] Notifying commit build result
      [Bitbucket] Build result notified
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods normalize java.lang.String 

      Specifically adding this to the whitelist:

      staticMethod org.codehaus.groovy.runtime.StringGroovyMethods normalize java.lang.String

      Allows this testcase to run without exception.

      This is fairly frustrating since upstream groovy says that the java.lang.String signature for these methods is deprecated with the signature with CharSequence being preferred, which is just an interface that java.lang.String implements.

      Since I'd expect most people using these methods to be using them on strings it would be simple enough just to add the string signatures to the whitelist to resolve this.

        Attachments

          Activity

          Hide
          hogarthj James Hogarth added a comment -

          A minimal PR to add a bunch of these methods (including the two specific ones we're missing for our builds) is here: https://github.com/jenkinsci/script-security-plugin/pull/262

          Show
          hogarthj James Hogarth added a comment - A minimal PR to add a bunch of these methods (including the two specific ones we're missing for our builds) is here:  https://github.com/jenkinsci/script-security-plugin/pull/262

            People

            • Assignee:
              abayer Andrew Bayer
              Reporter:
              hogarthj James Hogarth
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: