[JIRA] (JENKINS-41557) manager.createSummary().appendText() fails in sandbox

39 views
Skip to first unread message

info@michael-jansen.biz (JIRA)

unread,
Jan 30, 2017, 7:24:01 AM1/30/17
to jenkinsc...@googlegroups.com
Michael jansen created an issue
 
Jenkins / Bug JENKINS-41557
manager.createSummary().appendText() fails in sandbox
Issue Type: Bug Bug
Assignee: Unassigned
Components: workflow-aggregator-plugin
Created: 2017/Jan/30 12:23 PM
Environment: Jenkins 2.32.1
All plugins up to date today 30.01.2017 eg. Pipeline 2.4
Priority: Minor Minor
Reporter: Michael jansen

The following Pipeline Skript fails in the sandbox

node {
    stage("this works but is useless") {
        manager.createSummary("warning.gif") 
        
    }
    
    stage("this triggers bug") {
        manager.createSummary("warning.gif").appendText('test')
    }
}

With the following error.

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildSummaryAction appendText java.lang.String
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:113)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)

Additional Notes

Interestingly the method does not show up under "In Process Script Approval" afterwards. That happened for two others:

method org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder$BadgeManager createSummary java.lang.String
staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods stripIndent java.lang.String

And as i type this i notice the the createSummary method perhaps should be available from the sandbox without manual approval too. Or the documentation which explicitely mentions them should be updated.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

info@michael-jansen.biz (JIRA)

unread,
Jan 30, 2017, 7:30:03 AM1/30/17
to jenkinsc...@googlegroups.com
Michael jansen updated an issue
Change By: Michael jansen
The following Pipeline Skript fails in the sandbox

{code}
node {
    stage("this works but is useless triggers bug without script approval ") {
        manager.createSummary("warning.gif")
        
 .appendText('test')
     }
     
    stage("this triggers bug with script approval ") {
        manager.createSummary("warning.gif").appendText( 'test' "<h1>You have been warned!</h1>", false, false, false, "red" )
    }
}
{code}

With the following error.
{noformat}

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildSummaryAction appendText java.lang.String
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:113)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
{noformat}

*Additional Notes*

 Interestingly Now after writing the method does not show up under "In Process Script Approval" afterwards bug i see that when i copy+paste the documentation example it fails but i get a pending script approval . That happened for two others:

I guess those methods should be available in the sandbox by default?

 {noformat}
method org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder$BadgeManager createSummary java.lang.String
 staticMethod method org. codehaus jvnet . groovy hudson . runtime plugins . DefaultGroovyMethods stripIndent groovypostbuild.GroovyPostbuildSummaryAction appendText java.lang.String boolean boolean boolean java.lang.String
{noformat}

And as i type this i notice the the createSummary method perhaps should be available from the sandbox without manual approval too. Or the documentation which explicitely mentions them should be updated.

jglick@cloudbees.com (JIRA)

unread,
Feb 1, 2017, 11:59:03 AM2/1/17
to jenkinsc...@googlegroups.com
Jesse Glick assigned an issue to wolfs
 

Possibly just a missing @Whitelisted annotation.
Change By: Jesse Glick
Component/s: groovy-postbuild-plugin
Component/s: workflow-aggregator-plugin
Assignee: wolfs

jglick@cloudbees.com (JIRA)

unread,
Feb 1, 2017, 11:59:03 AM2/1/17
to jenkinsc...@googlegroups.com
Jesse Glick updated an issue
Change By: Jesse Glick
Labels: pipeline

info@michael-jansen.biz (JIRA)

unread,
Feb 1, 2017, 1:05:02 PM2/1/17
to jenkinsc...@googlegroups.com
Michael jansen commented on Bug JENKINS-41557
 
Re: manager.createSummary().appendText() fails in sandbox

I btw. found more information. Its possible this should at most be an documentation change. See groovy postbuild plugins documentation under "Non whitelisted" methods.

I was just surprised a method actively endorsed in the documentation was not whitelisted.

devld@ikedam.jp (JIRA)

unread,
Feb 9, 2017, 4:54:01 PM2/9/17
to jenkinsc...@googlegroups.com
ikedam commented on Bug JENKINS-41557

`GroovyPostbuildSummaryAction` accepts HTML tags and can cause XSS.
And it's not whitelisted for now as explained in the wiki page.

rodrigc@FreeBSD.org (JIRA)

unread,
Feb 15, 2017, 7:54:02 PM2/15/17
to jenkinsc...@googlegroups.com
Craig Rodrigues edited a comment on Bug JENKINS-41557
[~ikedam] How is this supposed to work?

I put this one line in my pipeline script:

 {noformat}
 manager.createSummary("green.gif").appendText('test')
 {noformat}

and got this traceback:


{noformat}
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildSummaryAction appendText java.lang.String
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:113)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)
at WorkflowScript.run(WorkflowScript:14)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
at sun.reflect.GeneratedMethodAccessor380.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
at com.cloudbees.groovy.cps.Next.step(Next.java:74)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:165)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:328)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:80)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:240)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:228)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE
{noformat}


I went to the *In-process Script Approval* link,
but it did not have any option to whitelist appendText().

So is there no way to get appendText() to work
inside a pipeline?

rodrigc@FreeBSD.org (JIRA)

unread,
Feb 15, 2017, 7:54:02 PM2/15/17
to jenkinsc...@googlegroups.com

ikedam How is this supposed to work?

I put this one line in my pipeline script:

manager.createSummary("green.gif").appendText('test')

and got this traceback:

I went to the In-process Script Approval link,


but it did not have any option to whitelist appendText().

So is there no way to get appendText() to work
inside a pipeline?

devld@ikedam.jp (JIRA)

unread,
Feb 27, 2017, 6:28:03 PM2/27/17
to jenkinsc...@googlegroups.com
ikedam resolved as Not A Defect
 

They are not whitelisted as documented for now.
It's not a bug.
Change By: ikedam
Status: Open Resolved
Resolution: Not A Defect

devld@ikedam.jp (JIRA)

unread,
Feb 27, 2017, 6:31:03 PM2/27/17
to jenkinsc...@googlegroups.com
ikedam commented on Bug JENKINS-41557

Craig Rodrigues Try adding the second bool argument.

DanaGoyette@gmail.com (JIRA)

unread,
Mar 12, 2018, 8:55:03 PM3/12/18
to jenkinsc...@googlegroups.com

Perhaps there should be a second variant of the function, that always escapes html?  Such a variant seems like it would be safe to whitelist.
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages