[JIRA] (JENKINS-57171) Permissive script security plugin is broken after updating to script security 1.58

1 view
Skip to first unread message

gabloe@microsoft.com (JIRA)

unread,
Apr 24, 2019, 1:06:02 PM4/24/19
to jenkinsc...@googlegroups.com
Gabriel Loewen updated an issue
 
Jenkins / Bug JENKINS-57171
Permissive script security plugin is broken after updating to script security 1.58
Change By: Gabriel Loewen
After updating to Script Security 1.58 permissive script security no longer permits unsafe method calls.  I have *-Dpermissive-script-security.enabled=no_security* set up in the java args, and before upgrading to 1.58 I was receiving no warnings/errors when calling unsafe methods as expected .   After upgrading I see many warnings in my pipeline log, such as:

Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

gabloe@microsoft.com (JIRA)

unread,
Apr 24, 2019, 1:06:03 PM4/24/19
to jenkinsc...@googlegroups.com
Gabriel Loewen created an issue
Issue Type: Bug Bug
Assignee: Oliver Gondža
Components: permissive-script-security-plugin, script-security-plugin
Created: 2019-04-24 17:05
Environment: Jenkins 2.164.2
Script Security 1.58
Permissive Script Security 0.3
Labels: jenkins security script-security
Priority: Major Major
Reporter: Gabriel Loewen

After updating to Script Security 1.58 permissive script security no longer permits unsafe method calls.  I have -Dpermissive-script-security.enabled=no_security set up in the java args, and before upgrading to 1.58 I was receiving no warnings/errors when calling unsafe methods.  After upgrading I see many warnings in my pipeline log, such as:

Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.

 

be_ray@sbcglobal.net (JIRA)

unread,
Apr 24, 2019, 5:40:03 PM4/24/19
to jenkinsc...@googlegroups.com
Brian Ray commented on Bug JENKINS-57171
 
Re: Permissive script security plugin is broken after updating to script security 1.58

I think the actual incompatibility is with workflow-cps-2.67, specifically #280 (JENKINS-34973). As noted at the top of the PR thread it is complementary to script-security-plugin/#243.

After running into the current issue with permissive-script-security-0.3, script-security-1.58, workflow-cps-2.67 I downgraded the latter plugin back to 2.66 and the issue disappeared.

There are two other interesting aspects in my troubleshooting attempts:

  1. It does not seem possible to effectively whitelist the method, at least in the UI. I can whitelist it but on the next run the script security warning is logged again.
  2. Reproduction is possible via a completely empty pipeline script.

be_ray@sbcglobal.net (JIRA)

unread,
Apr 24, 2019, 5:40:03 PM4/24/19
to jenkinsc...@googlegroups.com
Brian Ray updated an issue
 
Change By: Brian Ray
Component/s: workflow-cps-plugin

be_ray@sbcglobal.net (JIRA)

unread,
Apr 24, 2019, 5:41:02 PM4/24/19
to jenkinsc...@googlegroups.com
Brian Ray updated an issue
Change By: Brian Ray
Environment:
Jenkins 2.164.2
Script Security 1.58
Permissive Script Security 0.3

Pipeline: Groovy 2.67

julienduchesne@live.com (JIRA)

unread,
May 6, 2019, 11:37:02 AM5/6/19
to jenkinsc...@googlegroups.com
Julien Duchesne commented on Bug JENKINS-57171
 
Re: Permissive script security plugin is broken after updating to script security 1.58

I can confirm what Brian says. Also, trying to approve the rejected methods froze our Jenkins instance (Actually, two of us made the same mistake on different instances). 

ogondza@gmail.com (JIRA)

unread,
May 7, 2019, 3:23:03 AM5/7/19
to jenkinsc...@googlegroups.com

Thanks, I managed to reproduce the problem introduced between script-security-1.57 and script-security-1.58. Let me see what we can do.

ogondza@gmail.com (JIRA)

unread,
May 9, 2019, 6:05:05 AM5/9/19
to jenkinsc...@googlegroups.com
Oliver Gondža started work on Bug JENKINS-57171
 
Change By: Oliver Gondža
Status: Open In Progress

ogondza@gmail.com (JIRA)

unread,
May 9, 2019, 6:05:06 AM5/9/19
to jenkinsc...@googlegroups.com

It is 4c12f752e15bdf1d879019e8157954688b35b104 in script-security that has caused this to break. On first glance, the problem appears fixable.

ogondza@gmail.com (JIRA)

unread,
May 9, 2019, 6:52:37 AM5/9/19
to jenkinsc...@googlegroups.com

ogondza@gmail.com (JIRA)

unread,
May 9, 2019, 6:52:50 AM5/9/19
to jenkinsc...@googlegroups.com
Change By: Oliver Gondža
Status: In Progress Review

ogondza@gmail.com (JIRA)

unread,
May 9, 2019, 7:26:03 AM5/9/19
to jenkinsc...@googlegroups.com
 

Fixed in 0.4 released just now.
Change By: Oliver Gondža
Status: In Review Resolved
Resolution: Fixed
Released As: 0.4

careje@gmail.com (JIRA)

unread,
May 10, 2019, 12:54:02 AM5/10/19
to jenkinsc...@googlegroups.com

Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint.

even after applying 0.4

ogondza@gmail.com (JIRA)

unread,
May 10, 2019, 1:04:03 AM5/10/19
to jenkinsc...@googlegroups.com

Jeff Care, be more specific. The problem this issue addresses is that even when the signature is explicitly whitelisted, it is still reported/blocked (depending on your config). Is that signature whitelisted on your instance? How is the plugin configured?

careje@gmail.com (JIRA)

unread,
May 13, 2019, 9:08:02 AM5/13/19
to jenkinsc...@googlegroups.com

Yes, whitelisted and still getting that message.

ogondza@gmail.com (JIRA)

unread,
May 13, 2019, 10:14:03 AM5/13/19
to jenkinsc...@googlegroups.com

Jeff Care, strange, can you provide as with a minimal reproducer of what you are observing?

lai.andrea75@gmail.com (JIRA)

unread,
May 14, 2019, 7:14:04 AM5/14/19
to jenkinsc...@googlegroups.com

I am still seen the issue as well.

Step:

  1. Create Pipeline job: "pipeline {agent

{ label 'master'}

stages {stage('Clear working directory') {steps {ansiColor('xterm')

{deleteDir()}

}}}}"

  2. Run the job above and it passes with lots of "Scripts not permitted to use new ..."

  3. Go to Script Approval page and approve everything.

  4. The Approval page does not have any pending approvals.

  5 .Run the Pipeline job again

  6. Job above passes with lots of "Scripts not permitted to use new ..." again

  7. Go to Script Approval page and all the pending approvals are back even if they are already listed in the "Signatures already approved:" section.

 

 

lai.andrea75@gmail.com (JIRA)

unread,
May 14, 2019, 7:28:03 AM5/14/19
to jenkinsc...@googlegroups.com
Andrea Lai updated an issue
 
Change By: Andrea Lai
Attachment: example.JPG

lai.andrea75@gmail.com (JIRA)

unread,
May 14, 2019, 7:28:03 AM5/14/19
to jenkinsc...@googlegroups.com
 
Re: Permissive script security plugin is broken after updating to script security 1.58

I am attaching a screenshot showing the Approval page asking to approve items already in the "Signatures already approved"

lai.andrea75@gmail.com (JIRA)

unread,
May 14, 2019, 7:29:02 AM5/14/19
to jenkinsc...@googlegroups.com
Andrea Lai edited a comment on Bug JENKINS-57171
I am attaching a screenshot showing the Approval page asking to approve items already in the "Signatures already approved" !example.JPG |width=667,height=407 !

lai.andrea75@gmail.com (JIRA)

unread,
May 14, 2019, 7:34:04 AM5/14/19
to jenkinsc...@googlegroups.com
Andrea Lai updated an issue
Change By: Andrea Lai
Attachment: scriptApproval.xml

lai.andrea75@gmail.com (JIRA)

unread,
May 14, 2019, 7:34:06 AM5/14/19
to jenkinsc...@googlegroups.com

lai.andrea75@gmail.com (JIRA)

unread,
May 16, 2019, 6:14:03 AM5/16/19
to jenkinsc...@googlegroups.com
Andrea Lai reopened an issue
 

I am re-opening as 2 people reported the change did not address the issue for some use cases.

 
Change By: Andrea Lai
Resolution: Fixed
Status: Resolved Reopened

michellepogado@gmail.com (JIRA)

unread,
May 16, 2019, 9:45:05 PM5/16/19
to jenkinsc...@googlegroups.com
Michelle Pogado commented on Bug JENKINS-57171
 
Re: Permissive script security plugin is broken after updating to script security 1.58

Also experiencing the same problem with the following version:
Jenkins 2.168 


Script Security 1.58 
Permissive Script Security 0.3 

Pipeline: Groovy 2.68

ogondza@gmail.com (JIRA)

unread,
May 22, 2019, 7:48:02 AM5/22/19
to jenkinsc...@googlegroups.com

I managed to reproduce the issue using both declarative and scriptable pipeline, when the plugin in enabled state. The build is permitted to invoke the signatures and they are logged in Jenkins log. The execution suggests several internal signatures for approval, even though they ware approved before.

ogondza@gmail.com (JIRA)

unread,
May 23, 2019, 8:19:03 AM5/23/19
to jenkinsc...@googlegroups.com

Alright, it turned out the changes in 1.58 uncovered a conceptual problem in the plugin. I have just release 0.5 with the new unsafe signature reworked.

https://github.com/jenkinsci/permissive-script-security-plugin/commit/7458ae4d1363a95d78fb8212460b4056f4b205ee

ogondza@gmail.com (JIRA)

unread,
May 23, 2019, 8:19:05 AM5/23/19
to jenkinsc...@googlegroups.com
Change By: Oliver Gondža
Status: Reopened Fixed but Unreleased
Resolution: Fixed
Released As: 0. 4 5

ogondza@gmail.com (JIRA)

unread,
May 23, 2019, 8:57:06 AM5/23/19
to jenkinsc...@googlegroups.com
Oliver Gondža edited a comment on Bug JENKINS-57171
Alright, it turned out the changes in 1.58 uncovered a conceptual problem in the plugin. I have just release 0.5 with the new unsafe signature detection reworked.

https://github.com/jenkinsci/permissive-script-security-plugin/commit/7458ae4d1363a95d78fb8212460b4056f4b205ee

ogondza@gmail.com (JIRA)

unread,
May 23, 2019, 8:57:09 AM5/23/19
to jenkinsc...@googlegroups.com
Change By: Oliver Gondža
Status: Fixed but Unreleased Resolved

be_ray@sbcglobal.net (JIRA)

unread,
May 24, 2019, 3:01:04 PM5/24/19
to jenkinsc...@googlegroups.com
Brian Ray commented on Bug JENKINS-57171
 
Re: Permissive script security plugin is broken after updating to script security 1.58

0.5 seems to clear up the issue in my local test Jenkins now with permissive-script-security.enabled=true. We'll try 0.5 in production soon.

Thank you Oliver Gondža.

xouthier@yahoo.fr (JIRA)

unread,
Jun 5, 2019, 11:07:04 AM6/5/19
to jenkinsc...@googlegroups.com
X O commented on Bug JENKINS-57171

Hi,

yes 0.5 fixes this issue but it generates another one: instead seeing the Pipeline script from SCM (SCM/Git) for the pipeline definition in the configure page according to what is written the config.xml of a pipeline job, we see pipeline script with an empty script.
It's impossible to view it in the GUI. Interestingly, the correct configuration is used.
Reverting to 0.3 fix this behavior but of course lead to the current issue.

BTW, the current issue seems only cosmetic, isn't it? There is no real need for an admin to enable the use of the "unsecured" methods. At least my pipelines do what they are suppose to do?!

We have a lot of plugins but here are some details of what is used:
Jenkins: 2.179
Script Security 1.60
Permissive Script Security 0.3 or 0.5
Pipeline Groovy 2.70
Git 3.10.0

Thanks

shen3lu4@gmail.com (JIRA)

unread,
Sep 10, 2019, 5:22:03 PM9/10/19
to jenkinsc...@googlegroups.com
Lu Shen commented on Bug JENKINS-57171

We recently did an upgrade on Jenkins and plugins. The "permissive-script-security.enabled=true" setting used to allow scripts to be run in the pipeline but not any more after the upgrade.

Jenkins log file would log issues like: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.security.MessageDigest getInstance java.lang.String and the scripts comes into "In-process script approval".

Version info:

Jenkins: 2.164.3
Script Security 1.62
Permissive Script Security 0.5
Pipeline Groovy 2.73
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

ogondza@gmail.com (JIRA)

unread,
Sep 11, 2019, 3:08:11 AM9/11/19
to jenkinsc...@googlegroups.com

Lu Shen, you are commenting on a once resolved issue. File a new one instead.

ogondza@gmail.com (JIRA)

unread,
Sep 11, 2019, 3:08:12 AM9/11/19
to jenkinsc...@googlegroups.com
Oliver Gondža closed an issue as Fixed
 
Change By: Oliver Gondža
Status: Resolved Closed

peter.wiseman@gmail.com (JIRA)

unread,
Dec 10, 2019, 1:15:04 AM12/10/19
to jenkinsc...@googlegroups.com
Peter Wiseman commented on Bug JENKINS-57171
 
Re: Permissive script security plugin is broken after updating to script security 1.58

Oliver Gondža do you have a reference for a new issue that you're working on?  Maybe JENKINS-59145 (Pipeline script UI) or JENKINS-59227 (Global Pipeline Libraries configuraton)?

With Permissive Script Security at 0.5, the Global Pipeline Library SCM configuration information is no longer visible.  If that were all it might be ok, but upon saving, the configuration, is removed.
Reply all
Reply to author
Forward
0 new messages