[JIRA] (JENKINS-58894) whitelist entry for java.lang.CharSequence does not match a java.lang.String object

2 views
Skip to first unread message

james.hogarth@gmail.com (JIRA)

unread,
Aug 12, 2019, 10:10:07 AM8/12/19
to jenkinsc...@googlegroups.com
James Hogarth created an issue
 
Jenkins / Bug JENKINS-58894
whitelist entry for java.lang.CharSequence does not match a java.lang.String object
Issue Type: Bug Bug
Assignee: Andrew Bayer
Components: script-security-plugin
Created: 2019-08-12 14:09
Environment: jenkins 2.189 on java 1.8 with script-security 1.62
Priority: Minor Minor
Reporter: James Hogarth

The generic whitelist has various methods on java.lang.CharSequence in place, for example:

staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isAllWhitespace java.lang.CharSequence
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isDouble java.lang.CharSequence
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isFloat java.lang.CharSequence
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isInteger java.lang.CharSequence
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods isLong java.lang.CharSequence
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods minus java.lang.CharSequence java.lang.Object
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods minus java.lang.CharSequence java.util.regex.Pattern
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods multiply java.lang.CharSequence java.lang.Number
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods normalize java.lang.CharSequence
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods padLeft java.lang.CharSequence java.lang.Number
staticMethod org.codehaus.groovy.runtime.StringGroovyMethods padLeft java.lang.CharSequence java.lang.Number java.lang.CharSequence

However these do not match a string being passed in, even though java.lang.String implements java.lang.CharSequence.

A really simple testcase:

stage("test normalize") {
  def foo = "thing goes here"
  if (foo instanceof java.lang.CharSequence ) {
    println foo
    println foo.normalize()
  }
}

This results in a sandbox exception of:

[Pipeline] stage
[Pipeline] { (test normalize)
[Pipeline] echo
thing goes here
Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods normalize java.lang.String. Administrators can decide whether to approve or reject this signature.
[Pipeline] }
[Pipeline] // stage
[Pipeline] End of Pipeline
[Bitbucket] Notifying commit build result
[Bitbucket] Build result notified
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods normalize java.lang.String

Specifically adding this to the whitelist:

staticMethod org.codehaus.groovy.runtime.StringGroovyMethods normalize java.lang.String

Allows this testcase to run without exception.

This is fairly frustrating since upstream groovy says that the java.lang.String signature for these methods is deprecated with the signature with CharSequence being preferred, which is just an interface that java.lang.String implements.

Since I'd expect most people using these methods to be using them on strings it would be simple enough just to add the string signatures to the whitelist to resolve this.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

james.hogarth@gmail.com (JIRA)

unread,
Aug 12, 2019, 12:00:02 PM8/12/19
to jenkinsc...@googlegroups.com
James Hogarth commented on Bug JENKINS-58894
 
Re: whitelist entry for java.lang.CharSequence does not match a java.lang.String object

A minimal PR to add a bunch of these methods (including the two specific ones we're missing for our builds) is here: https://github.com/jenkinsci/script-security-plugin/pull/262
Reply all
Reply to author
Forward
0 new messages