[JIRA] [workflow-plugin] (JENKINS-34638) org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Random

1,114 views
Skip to first unread message

budhi003@gmail.com (JIRA)

unread,
May 6, 2016, 2:36:01 AM5/6/16
to jenkinsc...@googlegroups.com
Ashudeep Budhiraja created an issue
 
Jenkins / Bug JENKINS-34638
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Random
Issue Type: Bug Bug
Assignee: Jesse Glick
Components: workflow-plugin
Created: 2016/May/06 6:35 AM
Environment:  Jenkins ver. 2.0
Labels: workflow Jenkinsfie Pipeline git random java.util.Random
Priority: Major Major
Reporter: Ashudeep Budhiraja

Works fine when run using Piepline script however when using Pipeline script from SCM, it breaks.

[Pipeline] End of Pipeline
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Random
at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:167)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:116)
at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:191)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:188)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.constructorCall(SandboxInvoker.java:19)
at WorkflowScript.run(WorkflowScript:39)
at __cps.transform__(Native Method)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:93)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixName(FunctionCallBlock.java:74)
at sun.reflect.GeneratedMethodAccessor582.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
at com.cloudbees.groovy.cps.Next.step(Next.java:58)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:277)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:77)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:186)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:184)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

budhi003@gmail.com (JIRA)

unread,
May 9, 2016, 3:30:01 PM5/9/16
to jenkinsc...@googlegroups.com
Ashudeep Budhiraja updated an issue
Change By: Ashudeep Budhiraja
Priority: Major Critical

budhi003@gmail.com (JIRA)

unread,
May 10, 2016, 6:20:01 PM5/10/16
to jenkinsc...@googlegroups.com
Ashudeep Budhiraja started work on Bug JENKINS-34638
 
Change By: Ashudeep Budhiraja
Status: Open In Progress

kieranwebber@gmail.com (JIRA)

unread,
May 11, 2016, 11:31:01 AM5/11/16
to jenkinsc...@googlegroups.com
Kieran Webber commented on Bug JENKINS-34638
 
Re: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Random

Isn't this just because a normal pipeline script isn't restricted by the groovy sandbox by default whilst scm scripts are?

You can always just allow the function in the "In process script approval" in configure jenkins.

budhi003@gmail.com (JIRA)

unread,
May 12, 2016, 12:40:05 AM5/12/16
to jenkinsc...@googlegroups.com

Hi Kieran,
Can you kindly explain further on how to achieve it?

Thanks.

kieranwebber@gmail.com (JIRA)

unread,
May 12, 2016, 4:44:01 AM5/12/16
to jenkinsc...@googlegroups.com

Click on manage jenkins from the main page. Then scroll down the list of options to the In-Process Script Approval menu option and click on that. Then at the top it should list a pending script approval for the failed function. Once you've added one or two this way you can most likely add them directly into the xml configs on disk to speed things up.

budhi003@gmail.com (JIRA)

unread,
May 13, 2016, 6:53:02 PM5/13/16
to jenkinsc...@googlegroups.com
Ashudeep Budhiraja edited a comment on Bug JENKINS-34638
Thanks Kieran,
Works after adding to  list of "*  Signatures already approved *" :
* field java.util.ArrayList size
* method java.util.Random nextInt
* new java.util.Random
* staticMethod java.lang.Math abs int
* staticMethod java.lang.Math random

budhi003@gmail.com (JIRA)

unread,
May 13, 2016, 6:53:02 PM5/13/16
to jenkinsc...@googlegroups.com

Thanks Kieran,
Works after adding to Signatures already approved:

  • field java.util.ArrayList size
  • method java.util.Random nextInt
  • new java.util.Random
  • staticMethod java.lang.Math abs int
  • staticMethod java.lang.Math random

kieranwebber@gmail.com (JIRA)

unread,
May 14, 2016, 4:05:01 AM5/14/16
to jenkinsc...@googlegroups.com
Kieran Webber resolved as Fixed
 
Change By: Kieran Webber
Status: In Progress Resolved
Resolution: Fixed

budhi003@gmail.com (JIRA)

unread,
May 14, 2016, 4:07:02 AM5/14/16
to jenkinsc...@googlegroups.com
Ashudeep Budhiraja closed an issue as Fixed
Change By: Ashudeep Budhiraja
Status: Resolved Closed

deep.anu98@yahoo.co.in (JIRA)

unread,
Sep 29, 2016, 8:27:02 AM9/29/16
to jenkinsc...@googlegroups.com
Anudeep Lalam commented on Bug JENKINS-34638
 
Re: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Random

Kieran Webber,Ashudeep Budhiraja - Can you please share the In-process Script Approval xml config path.. I am running Jenkins on Linux..

For me there is situation where I am getting org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified staticMethod java.lang.Math round java.math.BigDecimal error. But in the Jenkins In-Process Script Approval menu, this is not populated for the approval..

May be if I can modify the xml, it may work.

Thanks in advance!
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

sshkolni@adobe.com (JIRA)

unread,
Nov 28, 2016, 8:47:01 PM11/28/16
to jenkinsc...@googlegroups.com

Hi Anudeep,
I am running into similar problem myself.
I was to add all other methods into XML file scriptApproval.xml. But, when I add "unclassified method" to whitelist in xml file, it starts to ignore the rest of the whitelist... Have you figured out how to add it?
Thanks!

deep.anu98@yahoo.co.in (JIRA)

unread,
Nov 29, 2016, 1:00:01 AM11/29/16
to jenkinsc...@googlegroups.com

Hi Sasha Shkolnik,

My Jenkins Master is a Linux Host. I found scriptApproval.xml under /var/lib/jenkins. My issue got resolved once I edited the xml to include staticMethod java.lang.Math round java.math.BigDecimal and restart Jenkins.

sshkolni@adobe.com (JIRA)

unread,
Nov 29, 2016, 2:08:02 AM11/29/16
to jenkinsc...@googlegroups.com

Hmm, when I add "method java.lang.UNIXProcess consumeProcessOutput java.lang.StringBuilder" to my scriptApproval.xml file, Jenkins just ignores it and give the error back again. When I add "unclassified method java.lang.UNIXProcess consumeProcessOutput java.lang.StringBuilder" to an xml file, Jenkins pretend the whole list is not there and gives an error about another method call, that is already on the list....

jglick@cloudbees.com (JIRA)

unread,
Dec 5, 2016, 5:26:01 PM12/5/16
to jenkinsc...@googlegroups.com
Jesse Glick reopened an issue
 
Change By: Jesse Glick
Resolution: Fixed
Status: Closed Reopened
Assignee: Jesse Glick

jglick@cloudbees.com (JIRA)

unread,
Dec 5, 2016, 5:27:02 PM12/5/16
to jenkinsc...@googlegroups.com
Jesse Glick resolved as Incomplete
 

Missing entries are not a bug, though PRs to add them to the default whitelist are welcome.

Any error including the unclassified text indicates a product bug. Please file separately in script-security-plugin with complete steps to reproduce from scratch.
Change By: Jesse Glick
Status: Reopened Resolved
Resolution: Incomplete
Reply all
Reply to author
Forward
0 new messages