[JIRA] (JENKINS-42891) Using `vars/pipeline.groovy` causes script-security error starting with Jenkins 2.32.3

0 views
Skip to first unread message

mail@tknerr.de (JIRA)

unread,
Mar 17, 2017, 1:59:02 PM3/17/17
to jenkinsc...@googlegroups.com
Torben Knerr created an issue
 
Jenkins / Bug JENKINS-42891
Using `vars/pipeline.groovy` causes script-security error starting with Jenkins 2.32.3
Issue Type: Bug Bug
Assignee: Andrew Bayer
Components: pipeline-model-definition-plugin, script-security-plugin, workflow-cps-global-lib-plugin
Created: 2017/Mar/17 5:58 PM
Environment: Jenkins 2.32.3 LTS, with
- script-security 1.27
- workflow-cps-global-lib 2.7
- pipeline-model-definition 1.1.1
Priority: Minor Minor
Reporter: Torben Knerr

We are using a global lib with `vars/pipeline.groovy` in Jenkins 2.32.1 and everything works fine. When using the same lib with Jenkins 2.32.3 we suddenly get failing pipeline builds with this error:

 

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter doTry org.jenkinsci.plugins.workflow.cps.CpsClosure2) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:183) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:117) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:103) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) ...

 

 

The `vars/pipeline.groovy` looks as simple as that:

 

def doStuff() {
    echo "hello!"
}

 

And within our `Jenkinsfile` we call it like that:

 

node {
    stage("do stuff") {
        pipeline.doStuff()
    }
}

 

It pretty much looks like a script-security plugin issue on first sight. (this was updated from 1.25 to 1.27 when we use Jenkins 2.32.3). 

However, after having simplified our `vars/pipeline.groovy` to such a mininmal helper method example there is really nothing that script security should complain about. But it still does throw the exception above.

In a desperate move I renamed `vars/pipeline.groovy` to `vars/wat.groovy`, and guess what? It works...

So my conclusion is that it must have something to do with either the name `pipeline.groovy`, or simply a variable named `pipeline` being implicitly defined in the global scope with newer Jenkins versions.

I'm not sure which component exactly produces the error, so the ones I assigned are the most likely culprits for me.

 

 

 

 

 

 
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

mail@tknerr.de (JIRA)

unread,
Mar 17, 2017, 2:03:02 PM3/17/17
to jenkinsc...@googlegroups.com
Torben Knerr updated an issue
Change By: Torben Knerr
We are using a global lib with `vars/pipeline.groovy` in Jenkins 2.32.1 and everything works fine. When using the same lib with Jenkins 2.32.3 we suddenly get failing pipeline builds with this error:

 
{code:java}
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter doTry org.jenkinsci.plugins.workflow.cps.CpsClosure2) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:183) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:117) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:103) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) ...{code}
 

 

The `vars/pipeline.groovy` looks as simple as that:
 
{code:java}
def doStuff() {
    echo "hello!"
}{code}

 

And within our `Jenkinsfile` we call it like that:

 
 {code:java}

node {
    stage("do stuff") {
        pipeline.doStuff() // throws above exception
    }
}{code}

 

It pretty much looks like a script-security plugin issue on first sight. (this was updated from 1.25 to 1.27 when we use Jenkins 2.32.3). 

However, after having simplified our `vars/pipeline.groovy` to such a mininmal helper method example there is really nothing that script security should complain about. But it still does throw the exception above.

In a desperate move I renamed `vars/pipeline.groovy` to `vars/wat.groovy`, and guess what? It works...
{code:java}
node {
    stage("do stuff") {
        wat.doStuff() // works!
    }
}
{code}
So my conclusion is that it must have something to do with either the name `pipeline.groovy`, or simply a variable named `pipeline` being implicitly defined in the global scope with newer Jenkins versions.

I'm not sure which component exactly produces the error, so the ones I assigned are the most likely culprits for me.

 

 

 

 

 

 

andrew.bayer@gmail.com (JIRA)

unread,
Mar 17, 2017, 6:53:01 PM3/17/17
to jenkinsc...@googlegroups.com
Andrew Bayer resolved as Not A Defect
 

Sadly, once you've got Declarative Pipelines installed (which comes automatically now), you can't have a variable in your Pipelines named pipeline, just as you can't have one named docker or scm or env - trying to use the same name as a global variable will just cause problems. So you should rename your vars/pipeline.groovy to something else. Sorry for the inconvenience.
Change By: Andrew Bayer
Status: Open Resolved
Resolution: Not A Defect

mail@tknerr.de (JIRA)

unread,
Mar 18, 2017, 7:47:05 AM3/18/17
to jenkinsc...@googlegroups.com
Torben Knerr commented on Bug JENKINS-42891
 
Re: Using `vars/pipeline.groovy` causes script-security error starting with Jenkins 2.32.3

Andrew Bayer I have assumed something like this, but this was only after hours of debugging.

Questions:

  • Is this new behaviour documented somewhere, like a warning / breaking changes in the CHANGELOG?
  • Can you point me to the complete list of variables that can no longer be used?
  • Would it be possible to check for inappropriate usage of these vars and throw a proper exception with a meaningful message instead?

While I am somehow "sensitized" for this error now, I bet others will be tapping in the dark when they suddenly get totally unrelated exceptions like the one reported above.

What do you think?

 

bitwiseman@gmail.com (JIRA)

unread,
Oct 22, 2019, 11:24:55 PM10/22/19
to jenkinsc...@googlegroups.com
Liam Newman closed an issue as Not A Defect
 

Bulk closing resolved issues.

Change By: Liam Newman
Status: Resolved Closed
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages