[JIRA] (JENKINS-58803) Script Approval: No such constructor found even so the constructor is defined

4 views
Skip to first unread message

papanito@wyssmann.com (JIRA)

unread,
Aug 5, 2019, 3:41:03 AM8/5/19
to jenkinsc...@googlegroups.com
Adrian Wyssmann created an issue
 
Jenkins / Bug JENKINS-58803
Script Approval: No such constructor found even so the constructor is defined
Issue Type: Bug Bug
Assignee: Andrew Bayer
Components: core, script-security-plugin
Created: 2019-08-05 07:40
Environment: Jenkins 2.176.1
Labels: script security
Priority: Minor Minor
Reporter: Adrian Wyssmann

I have a a shared DSL library which causes the pipeline to fail with the following error:

No such constructor found: new java.lang.String java.lang.String java.lang.String. Administrators can decide whether to approve or reject this signature.
[Pipeline] End of Pipeline
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such constructor found: new java.lang.String java.lang.String java.lang.String
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:168)
	at org.kohsuke.groovy.sandbox.impl.Checker$14.call(Checker.java:594)
	at org.kohsuke.groovy.sandbox.impl.Checker.preCheckedCast(Checker.java:599)

The signature is definitively in the "ScriptApproval.xml" as follows:

...    
    <string>new java.lang.String java.lang.String java.lang.String</string>
...

The respective line of code where its fails is this:

String svnURL         = this.checkMandatoryParam("svnURL", props["projects"]["${application}"]["svnURL"])

and

def checkMandatoryParam(String name, param) {
    echo "[Info] Check if mandatory parameter '${name}' is defined"
    if (!param) {
        throw new AbortException("Expected parameter '${name}' is missing or empty. Please specify accordingly in the 'applications.json'")
    } else {
        return param
    }

Detailed log of Jenkins pipeline:

09:28:07  [Info] It is a dry run:  false
[Pipeline] echo
09:28:07  [Info] Check if mandatory parameter 'solution' is defined
[Pipeline] echo
09:28:07  [Info] Check if mandatory parameter 'svnURL' is defined
[Pipeline] }
[Pipeline] // script
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // timestamps
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // node
No such constructor found: new java.lang.String java.lang.String java.lang.String. Administrators can decide whether to approve or reject this signature.
[Pipeline] End of Pipeline
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such constructor found: new java.lang.String java.lang.String java.lang.String
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:168)
	at org.kohsuke.groovy.sandbox.impl.Checker$14.call(Checker.java:594)
	at org.kohsuke.groovy.sandbox.impl.Checker.preCheckedCast(Checker.java:599)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCast(Checker.java:541)
	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCast$1.callStatic(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
	at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:189)
	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onStaticCall(GroovyInterceptor.java:35)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:186)
	at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:187)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:191)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:98)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
	at defaultCdPipeline.call(D:\data\jenkins_home\jobs\DP-Pipeline-Common-CD\builds\10\libs\octopus-pipeline-core\vars\defaultCdPipeline.groovy:93)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
	at sun.reflect.GeneratedMethodAccessor528.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:129)
	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:268)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$101(SandboxContinuable.java:34)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.lambda$run0$0(SandboxContinuable.java:59)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:241)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:58)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:182)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:332)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$200(CpsThreadGroup.java:83)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:244)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:232)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Finished: FAILURE
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

dbeck@cloudbees.com (JIRA)

unread,
Aug 9, 2019, 4:15:02 AM8/9/19
to jenkinsc...@googlegroups.com
Daniel Beck updated an issue
Change By: Daniel Beck
Component/s: core

dbeck@cloudbees.com (JIRA)

unread,
Aug 9, 2019, 4:17:02 AM8/9/19
to jenkinsc...@googlegroups.com
Daniel Beck commented on Bug JENKINS-58803
 
Re: Script Approval: No such constructor found even so the constructor is defined

Which version of Script Security Plugin is this?

Devin Nusbaum Does this look like a regression due to recent security fixes?

dnusbaum@cloudbees.com (JIRA)

unread,
Aug 9, 2019, 9:58:03 AM8/9/19
to jenkinsc...@googlegroups.com

Daniel Beck I don't think so, Checker line 599 in Checker.preCheckedCast is a comment in the current version of groovy-sandbox.

Adrian Wyssmann I think that your scriptApproval entry is invalid syntax. It should start with method or staticMethod, and also I don't think there is a constructor of String that takes (String, String). Did you add the entry manually or anything?

Are you sure the code is failing in String svnURL = this.checkMandatoryParam("svnURL", props["projects"]["${application}"]["svnURL"])? We see the log message from checkMandatoryParam ("Check if mandatory parameter 'svnURL' is defined"), so maybe it is one of the next few lines that has the problem. I don't see anything particular in what you posted that looks like Groovy syntax that the sandbox isn't able to handle.

papanito@wyssmann.com (JIRA)

unread,
Sep 7, 2019, 4:22:02 AM9/7/19
to jenkinsc...@googlegroups.com

OK I've found the problem. I read a configuration from json For some reason the json had "duplicated" content

{
   "projects": {
      "app1": {
         "svnUrl": "https://xyz"
      }, 
      "app2": {
         "svnUrl": "https://xyz"
      }
   }
   { "projects": {
       "app1": {
          "svnUrl": "https://xyz"
       },
       "app2": {
          "svnUrl": "https://xyz" 
       }
   }
}

instead of

{
   "projects": {
      "app1": {
         "svnUrl": "https://xyz"
      }, 
      "app2": {
         "svnUrl": "https://xyz"
      }
   }
}

Onc// code placeholdere the input json was fixed, all went smooth.

Yes the signature I have in the "ScriptApproval.xml" is as mentioned above
Reply all
Reply to author
Forward
0 new messages