[JIRA] [workflow-plugin] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition

[lars.bilke@ufz.de (JIRA)]

Lars Bilke edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition Can you please explain the workaround in more detail? I tried to use the method you mention in the tutorial: {{ def flow node('slave') {     git '…'     flow = load 'flow.groovy'     flow.devQAStaging() } flow.production() }} But {{flow.groovy}} is still run in the sandbox. Add Comment

This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)

[lars.bilke@ufz.de (JIRA)]

Lars Bilke commented on JENKINS-28178

[lars.bilke@ufz.de (JIRA)]

Lars Bilke edited a comment on JENKINS-28178

[lars.bilke@ufz.de (JIRA)]

Lars Bilke edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Can you please explain the workaround in more detail? I tried to use the method you mention in the tutorial:

``` {code:groovy}

def flow node('slave') {     git '…'     flow = load 'flow.groovy'     flow.devQAStaging() } flow.production()

``` {code}

But {{flow.groovy}} is still run in the sandbox.

Add Comment

[lars.bilke@ufz.de (JIRA)]

Lars Bilke edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Can you please explain the workaround in more detail? I tried to use the method you mention in the tutorial:

{code: groovy java }

def flow node('slave') {     git '…'     flow = load 'flow.groovy'     flow.devQAStaging() } flow.production() {code} But {{flow.groovy}} is still run in the sandbox.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Lars Bilke well of course you would need to uncheck the sandbox option in the job configuration too.

Add Comment

[lars.bilke@ufz.de (JIRA)]

Lars Bilke commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Is this also possible on a Workflow Multibranch job?

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

No, currently multibranch does reuse CpsScmFlowDefinition including the forced sandbox=true. Probably this needs to be handled in that case using a BranchProperty: while you may be comfortable permitting unsandboxed execution from Jenkinsfile contents in origin/master, you would not want to allow that in a pull request on a publicly visible repository. TBD what the policy should be: allowing a customized Jenkinsfile if run in the sandbox, or just pinning a Jenkinsfile from the base branch you control. In other words, I consider the multibranch variant of this issue to be distinct.

Add Comment

[eholzwarth@littlegreensoftware.com (JIRA)]

Ed Holzwarth commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Jesse Glick Is there a separate issue created for the multibranch variant of this issue? We are using the global workflow library. The setup was working with a standard workflow, but getting a RejectedAccessException after switching to the multibranch workflow which I understand from your comment forces groovy sandbox mode. org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified field java.util.ArrayList name at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.rejectField(SandboxInterceptor.java:182) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:174) How can I authorize the properties our workflow expects so that we can use the multibranch workflow?

Add Comment

[eholzwarth@littlegreensoftware.com (JIRA)]

Ed Holzwarth edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

[~jglick] Is there a separate issue created for the multibranch variant of this issue?

We are using the global workflow library. The setup was working with a standard workflow, but getting a {{RejectedAccessException}} after switching to the multibranch workflow which I understand from your comment forces groovy sandbox mode.

{code:java}

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified field java.util.ArrayList name at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.rejectField(SandboxInterceptor.java:182) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:174)

{code}

How can I authorize the properties our workflow expects so that we can use the multibranch workflow?

Add Comment

[eholzwarth@littlegreensoftware.com (JIRA)]

Ed Holzwarth commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

PS - the lines that trigger RejectedAccessExceptions with our multibranch workflow are as follows: // triggers RejectedAccessException: unclassified field java.util.ArrayList name def choices = skipDeploy + "\n" config.deployTargets*.name.join('\n') and // triggers RejectedAccessException: Scripts not permitted to use staticMethod def selectedTarget = config.deployTargets.findResult({ it.name == deployTarget ? it : null })

Add Comment

[eholzwarth@littlegreensoftware.com (JIRA)]

Ed Holzwarth updated an issue

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Change By: Ed Holzwarth Priority: Minor Major

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition The ArrayList.name issue sounds like a bug in script-security which was already fixed; make sure you are running the latest version. It is possible you found a new corner case, of course. Best to report it in a separate issue with a standalone reproducible test case if you can come up with one. findResult could be whitelisted but it is probably not going to work anyway (with or without the sandbox) due to JENKINS-26481. At least I am guessing that is the method you are talking about; the exception message was apparently truncated.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick updated an issue

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Change By: Jesse Glick Currently {{CpsScmFlowDefinition}} enforces sandbox mode on the grounds that whole-script approval is unrealistic (an administrator would need to approve every SCM revision, and Jenkins cannot automatically approve revisions like it could from GUI changes to a {{CpsFlowDefinition}} by an administrator). There should however be an option to simply trust the script as it comes from the SCM. This could be checked by default if Jenkins were unsecured; for a secured Jenkins, the default should remain to use the sandbox, though you could switch to trusted mode with a stern warning in form validation explaining that you are responsible for auditing all changes to that SCM repository, and noting that attackers with SCM access could take over control of Jenkins in ways that might make auditing difficult. (For example, someone with push access to a Git repository could push a script which obtains the API token of a legitimate Jenkins administrator, mails it to the attacker, then deletes the current build record; and finally force-push the attacking script out of existence except via the reflog.) Pending such an option, the workaround is given by the tutorial [here|https://github.com/jenkinsci/workflow-plugin/blob/master/TUTORIAL.md# triggering- manual-loading]: define a {{CpsFlowDefinition}} with an approved script that checks out the SCM and uses {{load}} to run it. This has the same effect at the price of more awkward configuration.

Add Comment

[bc.fisher@yahoo.com (JIRA)]

Brent Fisher commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition FWIW, we are running into the same multibranch RejectedAccessExceptions from simple string manipulation. I almost think it could be useful to have the possibility of a whitelist extension file. I.e. methods that I feel are safe for my own Jenkins instance. And perhaps a way to mark which branches require sandboxing, or a way to not sandbox a pull request, if the script hasn't changed? Its pretty tricky, as you say. You mentioned that this is a unique issue. Is there already logged a ticket for this multibranch situation?

Add Comment

[bc.fisher@yahoo.com (JIRA)]

Brent Fisher edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

FWIW, we are running into the same multibranch RejectedAccessExceptions from simple string manipulation.

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String substring int

I almost think it could be useful to have the possibility of a whitelist extension file.  I.e. methods that I feel are safe for my own Jenkins instance. And perhaps a way to mark which branches require sandboxing, or a way to not sandbox a pull request, if the script hasn't changed?  Its pretty tricky, as you say. You mentioned that this is a unique issue.  Is there already logged a ticket for this multibranch situation?

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

I almost think it could be useful to have the possibility of a whitelist extension file. I.e. methods that I feel are safe for my own Jenkins instance. Manage Jenkins » In-process Script Approvals

just pinning a Jenkinsfile from the base branch you control

Already implemented in the case of the GitHub branch source, so I do not suppose anything special need be done for multibranch support other than a higher-level option to disable the sandbox that would get propagated down to the branch projects.

Add Comment

[sgiterman@gmail.com (JIRA)]

gitt commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

We develop Pipeline scripts (stored in SCM) using staging Jenkins instance and then use them on multiple production Jenkins instances. To do this we need to re-approve all methods one by one again on each of production Jenkins (including such non-harmful methods like "java.lang.String equalsIgnoreCase java.lang.String" or "java.util.Map containsKey java.lang.Object"). Would it be possible for the administrator user to export the list off all approvals from one Jenkins and import them to another instance (just copying scriptApproval.xml seems not to work because of hash)? If only administrator is allowed to do it, it would be secure since he could review the file before uploading and only previously approved methods would be allowed.

Add Comment

[pwolf@cloudbees.com (JIRA)]

Patrick Wolf commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

gitt You can update the whitelist with a plugin: @Extension public static class MiscWhitelist extends ProxyWhitelist { /** * Methods to add to the script-security whitelist for this plugin to work. * * @throws IOException */ public MiscWhitelist() throws IOException { super(new StaticWhitelist( "method java.util.Map containsKey java.lang.Object", "method java.lang.Class isInstance java.lang.Object" } } If you encapsulate your whitelist in a plugin then you simply need to install the plugin on each master where you want to apply it.

Add Comment

[faheem@cliqz.com (JIRA)]

Faheem Nadeem commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Hi I have some jenkinfiles which worked perfectly when I just copied them to a simple pipeline job. After shifting to a multibranch or jenkinsfile from scm all of them get a rejected access exception, which makes sense due to groovy sand boxing ERROR: Failed: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.HashMap on a command, which is just parsing an xml from a get with curl 13:55:28 + xmllint --xpath string(//action/cause/shortDescription) JENKINS_REST_API_RESULTS [Pipeline] readFile [Pipeline] error [Pipeline] echo My problem is I have admin privileges for jenkins. I also have permission to read/RunScripts in Overall, but I still don't see an approval request for "java.util.HashMap" in scriptApproval section. At one point I had approvals due to my testing but now what ever I try e.g. moving the job a simple pipeline enabling sandboxing, creating a multibranch, loading the jenkinsfile through scm, nothing triggers a script approval for "java.util.HashMap". Which I am not even sure I require because I am the admin my self, who is creating these jobs. And I see no way to whitelist certain methods my self, until or unless as Patrick Wolf mentioned to create a plugin and install it. Is there any solution for this currently. And I totally vote for a disabled or a limited sandboxed environment, with the choice easily accessible from the configuration.

Add Comment

[faheem@cliqz.com (JIRA)]

Faheem Nadeem edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Hi I have some jenkinfiles which worked perfectly when I just copied them to a simple pipeline job. After shifting to a multibranch or jenkinsfile from scm all of them get a rejected access exception, which makes sense due to groovy sand boxing

{code:java}

ERROR: Failed: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.HashMap

{code}

on a command, which is just parsing an xml from a get with curl

{code:java}

13:55:28 + xmllint --xpath string(//action/cause/shortDescription) JENKINS_REST_API_RESULTS [Pipeline] readFile [Pipeline] error [Pipeline] echo

{code}

My problem is I have admin privileges for jenkins. I also have permission to read/RunScripts in Overall, but I still don't see an approval request for "java.util.HashMap" in scriptApproval section.

At one point I had approvals due to my testing  but , which I accepted. But  now what ever I try e.g. moving the job a simple pipeline enabling sandboxing, creating a multibranch, loading the jenkinsfile through scm, nothing triggers a script approval for "java.util.HashMap".  Which  To top it all  I  removed the previously approved requests and now even they are not triggered :( Interestingly, I  am not even sure  why  I require  because  approvals as  I am the admin my self, who is creating these jobs.  And I see no way to whitelist certain methods my self, until or unless as [~hrmpw] mentioned to create a plugin and install it.

Is there any solution for this currently. And I totally vote for a disabled or a limited sandboxed environment, with the choice easily accessible from the configuration.

Add Comment

[danny@kirchmeier.us (JIRA)]

Danny Kirchmeier commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

I ended up recompiling the plugin with the sandbox option set to false. It's fragile, but it got the job done on my jenkins instance. I published my fork along with instructions to https://github.com/danthegoodman/workflow-cps-plugin/tree/disable_scm_security if anyone else want to use it.

Add Comment

[v.gimple@stemmer-imaging.de (JIRA)]

Volker Gimple commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Thank you Danny - you made my day!

Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

[jglick@cloudbees.com (JIRA)]

Jesse Glick updated an issue

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Change By: Jesse Glick Component/s: workflow-cps-plugin Component/s: pipeline

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition Faheem Nadeem whatever your issue is, it is not this. Given JENKINS-31155 and its supported for trusted libraries which wrap otherwise unsafe calls, I am even less inclined to touch this.

Add Comment

[james.ray@capitalone.com (JIRA)]

Jimmy Ray edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

So, I know I am late to the party on this one, but we have been struggling with similar issues, making choices whether or not to use ` ` CpsScmFlowDefinition` ` or `CpsFlowDefinition`.  And it comes down to forced sandbox.  We considered rewriting the plugin, but we don't see that as a sustainable approach.  There are a lot of additional functionality that we would like to use.  I understand the security concerns around allowing sandbox behavior to be disabled at the job level.  It's the tug-of-war between DEV and OPS.  However, I would love to have this functionality.   Is toggling the sandbox behavior for `CpsScmFlowDefinition` being considered?

Add Comment

[james.ray@capitalone.com (JIRA)]

Jimmy Ray commented on JENKINS-28178

[james.ray@capitalone.com (JIRA)]

Jimmy Ray edited a comment on JENKINS-28178

[james@sandlininc.com (JIRA)]

James Sandlin commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Yeah we have a very small team that manages builds for 400+ DEV & QA. Our scripts & servers are a locked down (2FA) environment to which only 5 people have access. If I can trust these 5 people with root access to a Fortune 500 company's production systems, I think I can trust them in Jenkins. Having Jenkins in this locked down environment, we are obligated to provide data to developers via in house scripting. Sadly we must write apps that run outside Jenkins to get data via the REST API and process for display. With the capabilities of Java sitting there behind our Pipeline scripts, it's very frustrating I can't utilize said capabilities.

Add Comment

[james@sandlininc.com (JIRA)]

James Sandlin edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Yeah we have a very small team that manages builds for 400+ DEV & QA. Our scripts & servers are a locked down (2FA) environment to which only 5 people have access. If I can trust these 5 people with root access to a Fortune 500 company's production systems, I think I can trust them in Jenkins. Having Jenkins in this locked down environment, we are obligated to provide data to developers via in house scripting. Sadly we must write apps that run outside Jenkins to get data via the REST API and process for display. With the capabilities of Java sitting there behind our Pipeline scripts, it's very frustrating I can't utilize said capabilities.

Another option: Allow wildcards in the exception list so I can just add .* as allowed.

Add Comment

[pwolf@cloudbees.com (JIRA)]

Patrick Wolf commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Regarding the sandbox there are a few things I wanted to point out: The built in whitelist (and blacklist) for Script Security is available in GitHub and can be updated via a Pull Request to add more signatures. This is a great way to add common, safe functions to the sandbox that benefits everyone: https://github.com/jenkinsci/script-security-plugin/tree/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists https://issues.jenkins-ci.org/browse/JENKINS-25804 If you create a Shared library at the Jenkins master level all functions in this library are assumed to be safe (users must have run_script access to create add these libraries) and will bypass the sandbox. https://github.com/jenkinsci/workflow-cps-global-lib-plugin *As I mentioned in a previous comment above it is possible to append or override the Sandbox with a plugin. It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin? https://issues.jenkins-ci.org/browse/JENKINS-28178?focusedCommentId=255040&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-255040 Lastly, Andrew Bayer (Andrew Bayer) presented the new Declarative Pipeline syntax at Jenkins World. This is installed with the pipeline-model-definition plugin. This plugin extends Pipeline to include a declarative syntax that does not allow imperative scripting but simplifies the construction of pipeline stages, notifications, docker images, etc to execute pipeline steps. Having end users build their Pipelines using the declarative model with no scripting also allows any syntax errors to be found during compilation, instead of runtime, and should not trigger any script security errors, any Groovy methods would be built into the step definitions themselves.

Add Comment

[pwolf@cloudbees.com (JIRA)]

Patrick Wolf edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Regarding the sandbox there are a few things I wanted to point out:

* The built in whitelist (and blacklist) for Script Security is available in GitHub and can be updated via a Pull Request to add more signatures. This is a great way to add common, safe functions to the sandbox that benefits everyone: ** https://github.com/jenkinsci/script-security-plugin/tree/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists ** https://issues.jenkins-ci.org/browse/JENKINS-25804 * If you create a Shared library at the Jenkins master level all functions in this library are assumed to be safe (users must have run_script access to create add these libraries) and will bypass the sandbox. ** https://github.com/jenkinsci/workflow-cps-global-lib-plugin

*As I mentioned in a previous comment above it is possible to append or override the Sandbox with a plugin. It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin?

** https://issues.jenkins-ci.org/browse/JENKINS-28178?focusedCommentId=255040&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-255040 * Lastly, Andrew Bayer ([~abayer]) presented the new Declarative Pipeline syntax at Jenkins World. This is installed with the {{pipeline-model-definition}} plugin.  This plugin extends Pipeline to include a declarative syntax that does not allow imperative scripting but simplifies the construction of pipeline stages, notifications, docker images, etc to execute pipeline steps. Having end users build their Pipelines using the declarative model with no scripting also allows any syntax errors to be found during compilation, instead of runtime, and should not trigger any script security errors, any Groovy methods would be built into the step definitions themselves.

Add Comment

[pwolf@cloudbees.com (JIRA)]

Patrick Wolf edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Regarding the sandbox there are a few things I wanted to point out: * The built in whitelist (and blacklist) for Script Security is available in GitHub and can be updated via a Pull Request to add more signatures. This is a great way to add common, safe functions to the sandbox that benefits everyone:

** [Whitelists| https://github.com/jenkinsci/script-security-plugin/tree/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists ] ** [Ticket on how to update whitelist| https://issues.jenkins-ci.org/browse/JENKINS-25804 ]

* If you create a Shared library at the Jenkins master level all functions in this library are assumed to be safe (users must have run_script access to create add these libraries) and will bypass the sandbox.

** [Shared Libraries| https://github.com/jenkinsci/workflow-cps-global-lib-plugin ] * As I mentioned in a previous comment above it is possible to append or override the Sandbox with a plugin. It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin? ** [Comment| https://issues.jenkins-ci.org/browse/JENKINS-28178?focusedCommentId=255040&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-255040 ]

* Lastly, Andrew Bayer ([~abayer]) presented the new Declarative Pipeline syntax at Jenkins World. This is installed with the {{pipeline-model-definition}} plugin.  This plugin extends Pipeline to include a declarative syntax that does not allow imperative scripting but simplifies the construction of pipeline stages, notifications, docker images, etc to execute pipeline steps. Having end users build their Pipelines using the declarative model with no scripting also allows any syntax errors to be found during compilation, instead of runtime, and should not trigger any script security errors, any Groovy methods would be built into the step definitions themselves.

Add Comment

[danny@kirchmeier.us (JIRA)]

Danny Kirchmeier commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

> It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin? It appears someone may have created such a plugin: https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+Security+Plugin I haven't had a chance to try this plugin out for myself, but it looks promising.

Add Comment

[danny@kirchmeier.us (JIRA)]

Danny Kirchmeier edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

> {quote} It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin? {quote}

It appears someone may have created such a plugin: https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+Security+Plugin I haven't had a chance to try this plugin out for myself, but it looks promising.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Do not install that plugin unless as an admin you can verify that either all authenticated users are fully trusted, or there is no way anyone can either create jobs or edit Pipeline script. I really do not recommend it.

Add Comment

[federicon@al.com.au (JIRA)]

Federico Naum assigned an issue to Federico Naum

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Change By: Federico Naum Assignee: Jesse Glick Federico Naum

Add Comment

[federicon@al.com.au (JIRA)]

Federico Naum commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition Just checking if the issue I'm seeing is the same as this one. I have a _ global shared library_ (https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Shared+Groovy+Libraries+Plugin) setup that works fine, but when I try to run something from a branch using the Library@BranchName notation I get the {{ hudson.remoting.ProxyException: groovy.lang.MissingMethodException:}} exception The thing is that I'm running the job with the admin user which has full permissions. Also, the exception is not logged in under In-process Script Approval so I can not whitelist it. Is this another bug or is it the same? Do you need logs or something? Since we do trust all the authenticated users and since we are using github enterprise as the backend for the global shared library, we have every branch created and every commit logged, so I gave the https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin a try, but did not work. If the configuration toggle is not going to be implemented, I think my next step is to recompile this plugin with the sandbox disable?

Add Comment

[federicon@al.com.au (JIRA)]

Federico Naum edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Just checking if the issue I'm seeing is the same as this one.

I have a _   [ global shared library_ library|http://example.com] (https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Shared+Groovy+Libraries+Plugin ) ] setup that works fine, but when I try to run something from a branch using the _Library@BranchName_ notation I get the {{ hudson.remoting.ProxyException: groovy.lang.MissingMethodException:}} exception The thing is that I'm running the job with the admin user which has full permissions.  Also, the exception is not logged in under *In-process Script Approval* so I can not whitelist it.

Is this another bug or is it the same? Do you need logs or something?

Since we do trust all the authenticated users and since we are using github enterprise as the backend for the global shared library, we have every branch created and every commit logged, so I gave the [permissive plugin script| https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin ] a try, but did not work.

If the configuration toggle is not going to be implemented, I think my next step is to recompile this plugin with the sandbox disable?

Add Comment

[federicon@al.com.au (JIRA)]

Federico Naum edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Just checking if the issue I'm seeing is the same as this one.

I have a  [ global shared library| http://example.com]( https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Shared+Groovy+Libraries+Plugin] setup that works fine, but when I try to run something from a branch using the _Library@BranchName_ notation I get the {{ hudson.remoting.ProxyException: groovy.lang.MissingMethodException:}} exception

The thing is that I'm running the job with the admin user which has full permissions.  Also, the exception is not logged in under *In-process Script Approval* so I can not whitelist it. Is this another bug or is it the same? Do you need logs or something? Since we do trust all the authenticated users and since we are using github enterprise as the backend for the global shared library, we have every branch created and every commit logged, so I gave the [permissive plugin script|https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin] a try, but did not work. If the configuration toggle is not going to be implemented, I think my next step is to recompile this plugin with the sandbox disable?

Add Comment

[federicon@al.com.au (JIRA)]

Federico Naum edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Just checking if the issue I'm seeing is the same as this one.

I have a  [global shared library|https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Shared+Groovy+Libraries+Plugin] setup that works fine, but when I try to run something from a branch using the _Library ('library @ BranchName_ BranchName')_ notation I get the {{hudson.remoting.ProxyException: groovy.lang.MissingMethodException:}} exception

The thing is that I'm running the job with the admin user which has full permissions.  Also, the exception is not logged in under *In-process Script Approval* so I can not whitelist it. Is this another bug or is it the same? Do you need logs or something? Since we do trust all the authenticated users and since we are using github enterprise as the backend for the global shared library, we have every branch created and every commit logged, so I gave the [permissive plugin script|https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin] a try, but did not work. If the configuration toggle is not going to be implemented, I think my next step is to recompile this plugin with the sandbox disable?

Add Comment

[federicon@al.com.au (JIRA)]

Federico Naum commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Hi Sorry for the noise, I got this working now. I re-read the documentation at https://jenkins.io/doc/book/pipeline/shared-libraries/ and found this piece of text which I think it was not there the first time I read it For Shared Libraries which only define Global Variables (vars/), or a Jenkinsfile which only needs a Global Variable, the annotation pattern @Library('my-shared-library') _ may be useful for keeping code concise. In essence, instead of annotating an unnecessary import statement, the symbol _ is annotated. Anyway, basically now (without using the permissive plugin script ) this is working using the notation @Library('library@BranchName') _ instead of: @Library('library@BranchName') import foo where foo is a file in {{ /var/foo.groovy}}

Add Comment

[federicon@al.com.au (JIRA)]

Federico Naum edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Hi Sorry for the noise, I got this working now. I re-read the documentation at https://jenkins.io/doc/book/pipeline/shared-libraries/ and found this piece of text which I think it was not there the first time I read it

??For Shared Libraries which only define Global Variables (vars/), or a Jenkinsfile which only needs a Global Variable, the annotation pattern @Library('my-shared-library') _ may be useful for keeping code concise. In essence, instead of annotating an unnecessary import statement, the symbol _ is annotated.?? Anyway, basically now (without using the [permissive plugin script|https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin] ) this is working using the notation *@Library('library@BranchName') \_* instead of: *@Library('library@BranchName')* *import foo* where {{foo}} is a file in {{ * /var/foo.groovy }} *

Add Comment

[federicon@al.com.au (JIRA)]

Federico Naum edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Hi Sorry for the noise, I got this working now. I re-read the documentation at https://jenkins.io/doc/book/pipeline/shared-libraries/ and found this piece of text which I think it was not there the first time I read it ??For Shared Libraries which only define Global Variables (vars/), or a Jenkinsfile which only needs a Global Variable, the annotation pattern @Library('my-shared-library') _ may be useful for keeping code concise. In essence, instead of annotating an unnecessary import statement, the symbol _ is annotated.??

Anyway, basically now (without using the [permissive plugin script|https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin] ) this is working using the notation by switching *@Library('library@BranchName') \_ * instead of: * @Library('library@BranchName')* * import foo* where {{foo}} is a file in */var/foo.groovy* with the following notation: *@Library('library@BranchName') \_* I bit anti-intuitive for me, but hey.. I'm happy that this is working

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick assigned an issue to Unassigned

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Change By: Jesse Glick Assignee: Federico Naum

Add Comment

[p.rogovoy@gmail.com (JIRA)]

Pavel Rogovoy commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition +1 for adding a feature to turn off the script security altogether. I spend a lot of time fighting with this even though everyone is admin on the team. "Permisssive Script Security" plugin is not the best solution as it doesn't work for us! I think this feature must be disabled altogether as it performs very awful as for today.

Add Comment

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

[p.rogovoy@gmail.com (JIRA)]

Pavel Rogovoy updated an issue

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Change By: Pavel Rogovoy Issue Type: Improvement Bug

Add Comment

[p.rogovoy@gmail.com (JIRA)]

Pavel Rogovoy updated an issue

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Change By: Pavel Rogovoy Priority: Major Critical

Add Comment

[p.rogovoy@gmail.com (JIRA)]

Pavel Rogovoy updated an issue

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Change By: Pavel Rogovoy Priority: Critical Blocker

Add Comment

[p.rogovoy@gmail.com (JIRA)]

Pavel Rogovoy updated an issue

Jenkins / JENKINS-28178 Option to disable sandbox in CpsScmFlowDefinition

Change By: Pavel Rogovoy Priority: Blocker Critical

Add Comment

[jonas.l.jonsson@ericsson.com (JIRA)]

Jonas Jonsson commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition As a Jenkins-admin with quite a few system groovy scripts, I would like to white-list certain paths (that contains my version controlled scripts) as 100% secure, so that I (once the change has been submitted) can use the latest and most up-to-date version of my script immediately.  May it be pipelines or groovy system scripts, if the Jenkins-admin approve the scripts (before they're executed), they should be allowed to run.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick updated an issue

Jenkins / JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

Better to use trusted libraries. Change By: Jesse Glick Issue Type: Bug New Feature

Add Comment

[mattvonrocketstein@gmail.com (JIRA)]

matt matthews edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition Suggestign Suggesting to just use shared/trusted libraries is not enough IMHO, we need a switch to turn this stuff off.  as an example, today I have a basic Jenkinsfile that's throwing errors with [].tail(): Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tail java.lang.Object[]. Job console offers a link to go to the ScriptApproval URL to approve, but then it does not remember the approval.. I return to the job generating the error and then it happens again in exactly the same way, telling me to approve.  There's nothing further I can even do here to debug that problem (which is just another distraction from the work I really want to do), so I get forced into rewrite `[].tail()` as different-but-equivalent groovy, something with `[].findAll{}`, which just works.  So why is Jenkins not remembering the approvals?  Why is `findAll` safer than `tail`?  Why does this plugin exist in the ecosystem if it doesn't work and can't work? [https://wiki.jenkins.io/display/JENKINS/Permissive+Script+Security+Plugin] Like other users, our Jenkins is behind a VPN, and we have multiple Jenkins instances so that we don't have to deal with all the complexity of highly granular user/job/credential permissioning.  Since all people who can login to a given instance are admins on that instance.. our experience is that none of script-security stuff adds security, it just degrades our stability. Please, can we just get a config option to just turn this off everywhere?

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[mattvonrocketstein@gmail.com (JIRA)]

matt matthews commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Suggestign to just use shared/trusted libraries is not enough IMHO, we need a switch to turn this stuff off.  as an example, today I have a basic Jenkinsfile that's throwing errors with [].tail():

[mattvonrocketstein@gmail.com (JIRA)]

matt matthews edited a comment on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Suggesting to just use shared/trusted libraries is not enough IMHO, we need a switch to turn this stuff off.  as an example, today I have a basic Jenkinsfile that's throwing errors with [].tail():

[christoph.henrici@chesnb.com (JIRA)]

Christoph Henrici commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Second   matt matthews

Add Comment

[fnasser@redhat.com (JIRA)]

Fernando Nasser commented on JENKINS-28178

Re: Option to disable sandbox in CpsScmFlowDefinition

Third that.

Add Comment