[JIRA] (JENKINS-56682) Unable to use initializers in sandboxed Groovy scripts

13 views
Skip to first unread message

dnusbaum@cloudbees.com (JIRA)

unread,
Jun 5, 2019, 2:48:02 PM6/5/19
to jenkinsc...@googlegroups.com
Devin Nusbaum updated an issue
 
Jenkins / Bug JENKINS-56682
Unable to use initializers in sandboxed Groovy scripts
Change By: Devin Nusbaum
Summary: Unable to use @Field annotations initializers in sandboxed Groovy scripts
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

dnusbaum@cloudbees.com (JIRA)

unread,
Jun 5, 2019, 2:51:35 PM6/5/19
to jenkinsc...@googlegroups.com
Devin Nusbaum updated an issue
Since the workflow-cps was upgraded to 2.64, fields defined on the class for the script itself using @Field annotations are or explicit class syntax, and static and instance initializer blocks for the script itself that reference other fields in the script do not working work anymore. This issue also affects the use of classes from shared libraries in initializers in Groovy scripts.

Original reported case:

 The following pipeline works fine in 2.63:
{code:java}
import groovy.transform.Field
@Field final SOMETHING='bar'
@Field final MY_CONSTANT="foo $SOMETHING"
node() {
  do_stuff()
}
def do_stuff() {
  sh "echo $MY_CONSTANT"
}
{code}
With workflow-cps 2.64, this gives the following exception:

  
 {noformat}
Groovy.lang.MissingPropertyException: No such property: SOMETHING for class: groovy.lang.Binding
   at groovy.lang.Binding.getVariable(Binding.java:58)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:264)
   at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
   at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
   at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
   at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
   at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
   at WorkflowScript.<init>(WorkflowScript:3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442)
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:434)
Caused: groovy.lang.GroovyRuntimeException: Failed to create Script instance for class: class WorkflowScript. Reason
   at org.codehaus.groovy.runtime.InvokerHelper.createScript(InvokerHelper.java:466)
   at groovy.lang.GroovyShell.parse(GroovyShell.java:700) at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.lambda$doParse$0(CpsGroovyShell.java:135)
   at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:132)
   at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:127)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560)
   at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521)
   at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320)
   at hudson.model.ResourceController.execute(ResourceController.java:97)
   at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE
{noformat}

dnusbaum@cloudbees.com (JIRA)

unread,
Jun 5, 2019, 2:51:36 PM6/5/19
to jenkinsc...@googlegroups.com
Devin Nusbaum updated an issue
Since the workflow-cps was upgraded to 2.64 /script-security 1.54 , fields defined on the class for the script itself using @Field annotations or explicit class syntax, and static and instance initializer blocks for the script itself that reference other fields in the script do not work anymore , are rejected by the Groovy sandbox . This issue also affects the use of classes from shared libraries in initializers in Groovy scripts.

dnusbaum@cloudbees.com (JIRA)

unread,
Jun 5, 2019, 2:52:01 PM6/5/19
to jenkinsc...@googlegroups.com
Devin Nusbaum updated an issue
Since the workflow-cps was upgraded to 2.64, fields defined on the class for the script itself using @Field annotations are or explicit class syntax, and static and instance initializer blocks for the script itself that reference other fields in the script do not working work anymore. This issue also affects the use of classes from shared libraries in initializers in Groovy scripts.

dnusbaum@cloudbees.com (JIRA)

unread,
Jul 5, 2019, 2:57:02 PM7/5/19
to jenkinsc...@googlegroups.com
Change By: Devin Nusbaum
Status: In Review Fixed but Unreleased
Resolution: Fixed
Released As: script-security 1.61

dnusbaum@cloudbees.com (JIRA)

unread,
Jul 5, 2019, 5:04:02 PM7/5/19
to jenkinsc...@googlegroups.com
Devin Nusbaum updated an issue
Change By: Devin Nusbaum
Released As: script-security 1.61 , workflow-cps 2.71

dnusbaum@cloudbees.com (JIRA)

unread,
Jul 5, 2019, 5:05:03 PM7/5/19
to jenkinsc...@googlegroups.com
Devin Nusbaum commented on Bug JENKINS-56682
 
Re: Unable to use initializers in sandboxed Groovy scripts

A fix for this issue in Pipeline scripts was released in Pipeline: Groovy Plugin version 2.71. A fix for this issue in other kinds of sandboxed Groovy scripts was released in Script Security Plugin 1.61.

dnusbaum@cloudbees.com (JIRA)

unread,
Jul 5, 2019, 5:05:04 PM7/5/19
to jenkinsc...@googlegroups.com
Change By: Devin Nusbaum
Status: Fixed but Unreleased Resolved

dnusbaum@cloudbees.com (JIRA)

unread,
Jul 5, 2019, 5:06:03 PM7/5/19
to jenkinsc...@googlegroups.com
Devin Nusbaum updated an issue
Change By: Devin Nusbaum
Component/s: workflow-cps-plugin
Reply all
Reply to author
Forward
0 new messages