Pipeline: irreconcilable unclassified staticMethod exception in sandbox mode
59 views
Skip to first unread message
Brian Ray
Oct 4, 2016, 1:05:38 PM10/4/16
to Jenkins Users
In trying to make a temporary stopgap for JIRA-26100, I came up with this toy code that runs fine in the (unsandboxed, natch) Script Console:
In trying it as a sandboxed, non-multibranch Pipeline script I had to whitelist the SVNKit static methods. The first two that popped up went fine, the approval effectively whitelisted them:
But the last one is apparently intractible. I had to manually add this one to scriptApproval.xml because the scriptApproval page wouldn't display it for approval.
Even after bouncing the master the sandboxed script still throws the following stack trace. It feels like I'm missing something elementary. Any ideas on why that method is not effectively being whitelisted? (Note: the stack trace references line 12 of the script but I chopped some comment lines from the above script excerpt. It is flagging the DAVRepositoryFactory.create(url) call.
import org.tmatesoft.svn.core.internal.io.dav.DAVRepositoryFactory
import org.tmatesoft.svn.core.SVNURL
DAVRepositoryFactory.setup()
url = SVNURL.parseURIEncoded(
'https://foosvnserver/svn/awesome_proj/trunk'
)
//FIXME: can't get this past script-security even when whitelisted per the
// stack trace,
//
// staticMethod org.tmatesoft.svn.core.internal.io.dav.DAVRepositoryFactory create org.tmatesoft.svn.core.SVNURL
repo = DAVRepositoryFactory.create(url)
repo.properties
println "Latest rev for trunk Java: $repo.latestRevision"
In trying it as a sandboxed, non-multibranch Pipeline script I had to whitelist the SVNKit static methods. The first two that popped up went fine, the approval effectively whitelisted them:
staticMethod org.tmatesoft.svn.core.SVNURL parseURIEncoded java.lang.String
staticMethod org.tmatesoft.svn.core.internal.io.dav.DAVRepositoryFactory setup
But the last one is apparently intractible. I had to manually add this one to scriptApproval.xml because the scriptApproval page wouldn't display it for approval.
staticMethod org.tmatesoft.svn.core.internal.io.dav.DAVRepositoryFactory create org.tmatesoft.svn.core.SVNURL
Even after bouncing the master the sandboxed script still throws the following stack trace. It feels like I'm missing something elementary. Any ideas on why that method is not effectively being whitelisted? (Note: the stack trace references line 12 of the script but I chopped some comment lines from the above script excerpt. It is flagging the DAVRepositoryFactory.create(url) call.
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified staticMethod org.tmatesoft.svn.core.internal.io.dav.DAVRepositoryFactory create org.tmatesoft.svn.core.SVNURL
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:138)
at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:180)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:177)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:91)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)
at WorkflowScript.run(WorkflowScript:12)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:48)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
at sun.reflect.GeneratedMethodAccessor342.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:76)
at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:66)
at sun.reflect.GeneratedMethodAccessor344.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
at com.cloudbees.groovy.cps.Next.step(Next.java:58)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:163)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:324)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:78)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:236)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:224)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:63)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Finished: FAILUREBrian Ray
Oct 4, 2016, 1:16:34 PM10/4/16
to Jenkins Users
More info: running LTS 2.7.4 core with the following relevant Pipeline and Script Security plugins:
Pipeline: Build Step pipeline-build-step 2.3
Pipeline Graph Analysis Plugin pipeline-graph-analysis 1.1
Pipeline: Input Step pipeline-input-step 2.1
Pipeline: Milestone Step pipeline-milestone-step 1.0
Pipeline: REST API Plugin pipeline-rest-api 2.0
Pipeline: Stage Step pipeline-stage-step 2.2
Pipeline: Stage View Plugin pipeline-stage-view 2.0
Script Security Plugin script-security 1.23
Pipeline workflow-aggregator 2.4
Pipeline: API workflow-api 2.4
Pipeline: Basic Steps workflow-basic-steps 2.2
Pipeline: Groovy workflow-cps 2.18
Pipeline: Shared Groovy Libraries workflow-cps-global-lib 2.3
Pipeline: Nodes and Processes workflow-durable-task-step 2.5
Pipeline: Job workflow-job 2.7
Pipeline: Multibranch workflow-multibranch 2.9
Pipeline: SCM Step workflow-scm-step 2.2
Pipeline: Step API workflow-step-api 2.4
Pipeline: Supporting APIs workflow-support 2.6
Pipeline Graph Analysis Plugin pipeline-graph-analysis 1.1
Pipeline: Input Step pipeline-input-step 2.1
Pipeline: Milestone Step pipeline-milestone-step 1.0
Pipeline: REST API Plugin pipeline-rest-api 2.0
Pipeline: Stage Step pipeline-stage-step 2.2
Pipeline: Stage View Plugin pipeline-stage-view 2.0
Script Security Plugin script-security 1.23
Pipeline workflow-aggregator 2.4
Pipeline: API workflow-api 2.4
Pipeline: Basic Steps workflow-basic-steps 2.2
Pipeline: Groovy workflow-cps 2.18
Pipeline: Shared Groovy Libraries workflow-cps-global-lib 2.3
Pipeline: Nodes and Processes workflow-durable-task-step 2.5
Pipeline: Job workflow-job 2.7
Pipeline: Multibranch workflow-multibranch 2.9
Pipeline: SCM Step workflow-scm-step 2.2
Pipeline: Step API workflow-step-api 2.4
Pipeline: Supporting APIs workflow-support 2.6
Reply all
Reply to author
Forward
0 new messages