[JIRA] (JENKINS-59968) Variable expansion in string cause exception for pipelines

[gurra.strand@gmail.com (JIRA)]

Gunnar Strand created an issue

Jenkins / JENKINS-59968 Variable expansion in string cause exception for pipelines Issue Type: Bug Assignee: Unassigned Components: pipeline Created: 2019-10-29 08:20 Environment: Jenkins ver. 2.176.2 Plugins AnsiColor (ansicolor): 0.6.2 Ant Plugin (ant): 1.9 Apache HttpComponents Client 4.x API Plugin (apache-httpcomponents-client-4-api): 4.5.5-3.0 Artifactory Plugin (artifactory): 3.1.0 Authentication Tokens API Plugin (authentication-tokens): 1.3 Autofavorite for Blue Ocean (blueocean-autofavorite): 1.2.2 Badge (badge): 1.8 Bitbucket Branch Source Plugin (cloudbees-bitbucket-branch-source): 2.4.0 Bitbucket Pipeline for Blue Ocean (blueocean-bitbucket-pipeline): 1.10.1 Blue Ocean (blueocean): 1.10.1 Blue Ocean Core JS (blueocean-core-js): 1.10.1 Blue Ocean Pipeline Editor (blueocean-pipeline-editor): 1.10.1 Branch API Plugin (branch-api): 2.1.2 Build Monitor View (build-monitor-plugin): 1.12+build.201809061734 Build Timestamp Plugin (build-timestamp): 1.0.3 Claim Plugin (claim): 2.15 Command Agent Launcher Plugin (command-launcher): 1.3 Common API for Blue Ocean (blueocean-commons): 1.10.1 Conditional BuildStep (conditional-buildstep): 1.3.6 Config API for Blue Ocean (blueocean-config): 1.10.1 Config File Provider Plugin (config-file-provider): 3.4.1 Configuration Slicing plugin (configurationslicing): 1.47 Configuration as Code Plugin (configuration-as-code): 1.15 Copy Artifact Plugin (copyartifact): 1.42 Credentials Binding Plugin (credentials-binding): 1.20 Credentials Plugin (credentials): 2.3.0 DTKit 2 API. (dtkit-api): 2.1.1-1 Dashboard for Blue Ocean (blueocean-dashboard): 1.10.1 Design Language (jenkins-design-language): 1.10.1 Display URL API (display-url-api): 2.3.0 Display URL for Blue Ocean (blueocean-display-url): 2.2.0 Docker Commons Plugin (docker-commons): 1.13 Docker Pipeline (docker-workflow): 1.17 Durable Task Plugin (durable-task): 1.28 Email Extension Plugin (email-ext): 2.68 Email Extension Template Plugin (emailext-template): 1.1 EnvInject API Plugin (envinject-api): 1.5 Environment Injector Plugin (envinject): 2.1.6 Events API for Blue Ocean (blueocean-events): 1.10.1 External Monitor Job Type Plugin (external-monitor-job): 1.7 Favorite (favorite): 2.3.2 Folders Plugin (cloudbees-folder): 6.7 GIT server Plugin (git-server): 1.7 Gerrit Trigger (gerrit-trigger): 2.29.0 Git Pipeline for Blue Ocean (blueocean-git-pipeline): 1.10.1 Git client plugin (git-client): 2.7.6 Git plugin (git): 3.9.1 GitHub API Plugin (github-api): 1.95 GitHub Branch Source Plugin (github-branch-source): 2.4.2 GitHub Pipeline for Blue Ocean (blueocean-github-pipeline): 1.10.1 GitHub plugin (github): 1.29.3 GitLab Plugin (gitlab-plugin): 1.5.11 Gitea Plugin (gitea): 1.0.8 Gradle Plugin (gradle): 1.30 Groovy (groovy): 2.2 Groovy Postbuild (groovy-postbuild): 2.5 HTML Publisher plugin (htmlpublisher): 1.17 Handy Uri Templates 2.x API Plugin (handy-uri-templates-2-api): 2.1.6-1.0 Hudson Post build task (postbuild-task): 1.8 Ivy Plugin (ivy): 1.28 JDK Tool Plugin (jdk-tool): 1.2 JIRA Integration for Blue Ocean (blueocean-jira): 1.10.1 JIRA plugin (jira): 3.0.5 JSch dependency plugin (jsch): 0.1.55 JUnit Plugin (junit): 1.26.1 JWT for Blue Ocean (blueocean-jwt): 1.10.1 JX Resources Plugin (jx-resources): 1.0.35 Jackson 2 API Plugin (jackson2-api): 2.9.8 JavaScript GUI Lib: ACE Editor bundle plugin (ace-editor): 1.1 JavaScript GUI Lib: Handlebars bundle plugin (handlebars): 1.1.1 JavaScript GUI Lib: Moment.js bundle plugin (momentjs): 1.1.1 JavaScript GUI Lib: jQuery bundles (jQuery and jQuery UI) plugin (jquery-detached): 1.2.1 Javadoc Plugin (javadoc): 1.4 Job Configuration History Plugin (jobConfigHistory): 2.21 Job DSL (job-dsl): 1.74 Kubernetes Credentials Plugin (kubernetes-credentials): 0.4.0 Kubernetes Credentials Provider (kubernetes-credentials-provider): 0.11 Kubernetes plugin (kubernetes): 1.14.3 LDAP Plugin (ldap): 1.20 Localization: Chinese (Simplified) (localization-zh-cn): 0.0.11 Lockable Resources plugin (lockable-resources): 2.3 Log Parser Plugin (log-parser): 2.1 Mailer Plugin (mailer): 1.23 Matrix Authorization Strategy Plugin (matrix-auth): 2.4.2 Matrix Project Plugin (matrix-project): 1.13 Maven Integration plugin (maven-plugin): 3.2 Mercurial plugin (mercurial): 2.4 Metrics Plugin (metrics): 4.0.2.2 OWASP Markup Formatter Plugin (antisamy-markup-formatter): 1.5 PAM Authentication plugin (pam-auth): 1.5.1 Parameterized Trigger plugin (parameterized-trigger): 2.35.2 Permissive Script Security Plugin (permissive-script-security): 0.5 Personalization for Blue Ocean (blueocean-personalization): 1.10.1 Pipeline (workflow-aggregator): 2.6 Pipeline Graph Analysis Plugin (pipeline-graph-analysis): 1.9 Pipeline SCM API for Blue Ocean (blueocean-pipeline-scm-api): 1.10.1 Pipeline implementation for Blue Ocean (blueocean-pipeline-api-impl): 1.10.1 Pipeline: API (workflow-api): 2.37 Pipeline: Basic Steps (workflow-basic-steps): 2.14 Pipeline: Build Step (pipeline-build-step): 2.7 Pipeline: Declarative (pipeline-model-definition): 1.3.4.1 Pipeline: Declarative Agent API (pipeline-model-declarative-agent): 1.1.1 Pipeline: Declarative Extension Points API (pipeline-model-extensions): 1.3.4.1 Pipeline: Groovy (workflow-cps): 2.74 Pipeline: Input Step (pipeline-input-step): 2.9 Pipeline: Job (workflow-job): 2.31 Pipeline: Milestone Step (pipeline-milestone-step): 1.3.1 Pipeline: Model API (pipeline-model-api): 1.3.4.1 Pipeline: Multibranch (workflow-multibranch): 2.20 Pipeline: Nodes and Processes (workflow-durable-task-step): 2.28 Pipeline: REST API Plugin (pipeline-rest-api): 2.10 Pipeline: SCM Step (workflow-scm-step): 2.7 Pipeline: Shared Groovy Libraries (workflow-cps-global-lib): 2.12 Pipeline: Stage Step (pipeline-stage-step): 2.3 Pipeline: Stage Tags Metadata (pipeline-stage-tags-metadata): 1.3.4.1 Pipeline: Stage View Plugin (pipeline-stage-view): 2.10 Pipeline: Step API (workflow-step-api): 2.20 Pipeline: Supporting APIs (workflow-support): 3.3 Plain Credentials Plugin (plain-credentials): 1.5 Pub-Sub "light" Bus (pubsub-light): 1.12 REST API for Blue Ocean (blueocean-rest): 1.10.1 REST Implementation for Blue Ocean (blueocean-rest-impl): 1.10.1 Rebuilder (rebuild): 1.31 Resource Disposer Plugin (resource-disposer): 0.12 Run Condition Plugin (run-condition): 1.2 SCM API Plugin (scm-api): 2.3.0 SSH Agent Plugin (ssh-agent): 1.17 SSH Credentials Plugin (ssh-credentials): 1.17.3 SSH Pipeline Steps (ssh-steps): 1.2.1 SSH Slaves plugin (ssh-slaves): 1.29.4 SSH plugin (ssh): 2.6.1 Script Security Plugin (script-security): 1.62 Server Sent Events (SSE) Gateway Plugin (sse-gateway): 1.17 Structs Plugin (structs): 1.20 Support Core Plugin (support-core): 2.54 Timestamper (timestamper): 1.9 Token Macro Plugin (token-macro): 2.5 Variant Plugin (variant): 1.1 View Job Filters (view-job-filters): 2.1.1 WMI Windows Agents Plugin (windows-slaves): 1.4 Web for Blue Ocean (blueocean-web): 1.10.1 Workspace Cleanup Plugin (ws-cleanup): 0.37 bouncycastle API Plugin (bouncycastle-api): 2.17 i18n for Blue Ocean (blueocean-i18n): 1.10.1 xUnit plugin (xunit): 2.3.5 Priority: Major Reporter: Gunnar Strand I updated the Pipeline-groovy (from 2.62 to 2.74) and the PermissiveScriptSecurity plugin (0.4 to0.5). The Pipeline-groovy upgrade pulled in some new versions of dependencies. Now variable expansion in strings in pipelines cause exception: This fails: ode { stage('Testing') { foo = 'bar' echo "${foo}" } } java.lang.NoSuchMethodError: org.kohsuke.groovy.sandbox.impl.Checker.preCheckedCast(Ljava/lang/Class;Ljava/lang/Object;ZZZ)Lorg/kohsuke/groovy/sandbox/impl/Checker$Thunk; at org.jenkinsci.plugins.workflow.cps.CpsWhitelist.permitsStaticMethod(CpsWhitelist.java:102) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist.permitsStaticMethod(ProxyWhitelist.java:188) at org.jenkinsci.plugins.workflow.cps.GroovyClassLoaderWhitelist.permitsStaticMethod(GroovyClassLoaderWhitelist.java:52) ... Finished: FAILURE This passes: node { stage('Testing') { foo = 'bar' echo foo } } [Pipeline] echo bar [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS A (painful) workaround is to replace all variable expansion code with string concatenation. Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[gurra.strand@gmail.com (JIRA)]

Gunnar Strand updated an issue

Jenkins / JENKINS-59968 Variable expansion in string cause exception for pipelines

Change By: Gunnar Strand

I updated the Pipeline-groovy (from 2.62 to 2.74) and the PermissiveScriptSecurity plugin (0.4 to0.5). The Pipeline-groovy upgrade pulled in some new versions of dependencies. Now variable expansion in strings in pipelines cause exception: This fails:

{code} ode node {

stage('Testing') {         foo = 'bar'

echo "${foo}"     } } {code} {code}

java.lang.NoSuchMethodError: org.kohsuke.groovy.sandbox.impl.Checker.preCheckedCast(Ljava/lang/Class;Ljava/lang/Object;ZZZ)Lorg/kohsuke/groovy/sandbox/impl/Checker$Thunk; at org.jenkinsci.plugins.workflow.cps.CpsWhitelist.permitsStaticMethod(CpsWhitelist.java:102) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist.permitsStaticMethod(ProxyWhitelist.java:188) at org.jenkinsci.plugins.workflow.cps.GroovyClassLoaderWhitelist.permitsStaticMethod(GroovyClassLoaderWhitelist.java:52) ... Finished: FAILURE

{code} This passes: {code}

node {     stage('Testing') {         foo = 'bar'         echo foo     } }

{code} {code}

[Pipeline] echo bar [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS

{code}

A (painful) workaround is to replace all variable expansion code with string concatenation.

Add Comment

[gurra.strand@gmail.com (JIRA)]

Gunnar Strand commented on JENKINS-59968

Re: Variable expansion in string cause exception for pipelines I can confirm that downgrading to Pipeline: Groovy 2.62 solves the problem.

Add Comment

[bitwiseman@gmail.com (JIRA)]

Liam Newman commented on JENKINS-59968

Re: Variable expansion in string cause exception for pipelines

Interesting.  What happens if you do: binding.foo = 'bar'

Add Comment

[gurra.strand@gmail.com (JIRA)]

Gunnar Strand commented on JENKINS-59968

Re: Variable expansion in string cause exception for pipelines

I downgraded then plugin to get production working, but I will try to reproduce the fault and try the above as soon as I can.

Add Comment

[dnusbaum@cloudbees.com (JIRA)]

Devin Nusbaum commented on JENKINS-59968

Re: Variable expansion in string cause exception for pipelines

What version of script-security are you running? My best guess is that you are managing dependencies manually and have an old version of script-security installed. scripts-security includes groovy-sandbox as a dependency, and it is the library that defines the method from the NoSuchMethodError.

Add Comment