[JIRA] (JENKINS-61901) Cannot evaluate Folder properties in Jenkins pipline script

7 views

Skip to first unread message

smurugesh1686@gmail.com (JIRA)

unread,

Apr 14, 2020, 2:45:04 PM4/14/20

to jenkinsc...@googlegroups.com

Murugesh Subramaniam created an issue

Jenkins /

JENKINS-61901

Cannot evaluate Folder properties in Jenkins pipline script

Issue Type:	Bug
Assignee:	Andrew Bayer
Components:	script-security-plugin
Created:	2020-04-14 18:44
Environment:	Jenkins 2.89.x Script Security 1.39 & 1.43
Priority:	Minor
Reporter:	Murugesh Subramaniam

Steps to reproduce:

1. Create a freestyle job
2. Add "Execute system Groovy script" build step
3. Add content (see below)
4. Run build with "Use Groovy Sandbox" enabled.
5. Run without "Use Groovy Sandbox" enabled

Script content:

 
                                                                def someArrayList = []

println someArrayList.name

This works with Sandbox disabled. When enabled, the following exception is thrown:

 
                                                                ERROR: Build step failed with exception
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such field found: field java.util.ArrayList name
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:397)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381)
	at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
	at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
	at Script1.run(Script1.groovy:3)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:333)
	at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
	at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
	at hudson.model.Build$BuildExecution.build(Build.java:206)
	at hudson.model.Build$BuildExecution.doRun(Build.java:163)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
	at hudson.model.Run.execute(Run.java:1724)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)
Build step 'Execute system Groovy script' marked build as failure
Finished: FAILURE
 
                                                            

It looks like, outside the sandbox, groovy evaluates

 
                                                                someArrayList.name

 
                                                                someArrayList.collect { it.name }

but inside the sandbox, this doesn't happen.

Feedback from Andrew:

fwiw, it's https://github.com/apache/groovy/blob/eedc6bfcd134749e7d76b05031dfbd914cec2d6e/src/main/org/codehaus/groovy/runtime/DefaultGroovyMethods.java#L7855 we need to somehow handle - we have to check the contents of the list to see if the objects in there can have that field accessed.

The workaround currently is to change to using:

 
                                                                someArrayList.collect { it.name }

when using the sandbox.

Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

smurugesh1686@gmail.com (JIRA)

unread,

Apr 14, 2020, 2:47:04 PM4/14/20

to jenkinsc...@googlegroups.com

Murugesh Subramaniam updated an issue

Jenkins /

JENKINS-61901

Cannot evaluate Folder properties in Jenkins pipline script

Change By:	Murugesh Subramaniam
Priority:	Minor Major

Add Comment

smurugesh1686@gmail.com (JIRA)

unread,

Apr 14, 2020, 2:47:05 PM4/14/20

to jenkinsc...@googlegroups.com

Murugesh Subramaniam updated an issue

Jenkins /

JENKINS-61901

Cannot evaluate Folder properties in Jenkins pipline script

Change By:	Murugesh Subramaniam
Environment:	Jenkins 2. 89 150 . x 1 Script Security 1. 39 & 1.43 71

Add Comment

smurugesh1686@gmail.com (JIRA)

unread,

Apr 14, 2020, 2:50:03 PM4/14/20

to jenkinsc...@googlegroups.com

Murugesh Subramaniam updated an issue

Jenkins /

JENKINS-61901

Cannot evaluate Folder properties in Jenkins pipline script

Change By:	Murugesh Subramaniam

Steps to reproduce:

1. Create a freestyle job multibranch pipeline inside a folder
2. Add "Execute system Groovy script" build step

3. Add content (see below)

4. Run build Configure Folder properties with Name: " Use Groovy Sandbox testURL " enabled Value"http://10 .
5 ** . Run without **.**:**** " Use Groovy Sandbox" enabled

Script content:

{code :java }

def someArrayList = []

println someArrayList.name

{code}

This works with Sandbox disabled. When enabled, the following exception is thrown:

{noformat}

It looks like, outside the sandbox, groovy evaluates

{code :java }
someArrayList.name
{code}

to

{code :java }
someArrayList.collect { it.name }
{code}

but inside the sandbox, this doesn't happen.

Feedback from Andrew:

{quote}

fwiw, it's [ https://github.com/apache/groovy/blob/eedc6bfcd134749e7d76b05031dfbd914cec2d6e/src/main/org/codehaus/groovy/runtime/DefaultGroovyMethods.java#L7855 ]

we need to somehow handle - we have to check the contents of the list to see if the objects in there can have that field accessed.
{quote}

The workaround currently is to change to using:

{code :java }
someArrayList.collect { it.name }
{code}

when using the sandbox.