[JIRA] (JENKINS-50470) Cannot evaluate ArrayList.name inside Groovy Sandbox

600 views
Skip to first unread message

owood@cloudbees.com (JIRA)

unread,
Mar 28, 2018, 6:40:02 PM3/28/18
to jenkinsc...@googlegroups.com
Owen Wood created an issue
 
Jenkins / Bug JENKINS-50470
Cannot evaluate ArrayList.name inside Groovy Sandbox
Issue Type: Bug Bug
Assignee: Andrew Bayer
Components: script-security-plugin
Created: 2018-03-28 22:39
Environment: Jenkins 2.89.x
Script Security 1.39 & 1.43
Priority: Minor Minor
Reporter: Owen Wood

Steps to reproduce:

1. Create a freestyle job
2. Add "Execute system Groovy script" build step
3. Add content (see below)
4. Run build with "Use Groovy Sandbox" enabled.
5. Run without "Use Groovy Sandbox" enabled

Script content:

def someArrayList = []

println someArrayList.name

This works with Sandbox disabled. When enabled, the following exception is thrown:

ERROR: Build step failed with exception
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such field found: field java.util.ArrayList name
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:397)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381)
	at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:288)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:292)
	at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
	at Script1.run(Script1.groovy:3)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:333)
	at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)
	at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
	at hudson.model.Build$BuildExecution.build(Build.java:206)
	at hudson.model.Build$BuildExecution.doRun(Build.java:163)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
	at hudson.model.Run.execute(Run.java:1724)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)
Build step 'Execute system Groovy script' marked build as failure
Finished: FAILURE

It looks like, outside the sandbox, groovy evaluates 

someArrayList.name

to 

someArrayList.collect { it.name }

but inside the sandbox, this doesn't happen.

Feedback from Andrew:

fwiw, it's https://github.com/apache/groovy/blob/eedc6bfcd134749e7d76b05031dfbd914cec2d6e/src/main/org/codehaus/groovy/runtime/DefaultGroovyMethods.java#L7855 we need to somehow handle - we have to check the contents of the list to see if the objects in there can have that field accessed.

The workaround currently is to change to using:

someArrayList.collect { it.name }

when using the sandbox.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

andrew.bayer@gmail.com (JIRA)

unread,
Mar 29, 2018, 9:44:02 AM3/29/18
to jenkinsc...@googlegroups.com
Andrew Bayer commented on Bug JENKINS-50470
 
Re: Cannot evaluate ArrayList.name inside Groovy Sandbox

So yeah, the gist here is that script-security tries to go straight to someList.getName() and onward to someList.name (the field directly), which isn't right and fails out. It should effectively be calling someList.getAt("name"), as done through MetaClassImpl.getProperty. I think we just need to get Checker.checkedGetProperty to treat a Collection receiver as if it were a spread operation (which is already supported). I'm experimenting now.

andrew.bayer@gmail.com (JIRA)

unread,
Mar 29, 2018, 10:11:01 AM3/29/18
to jenkinsc...@googlegroups.com
Andrew Bayer started work on Bug JENKINS-50470
 
Change By: Andrew Bayer
Status: Open In Progress

andrew.bayer@gmail.com (JIRA)

unread,
Mar 29, 2018, 10:11:02 AM3/29/18
to jenkinsc...@googlegroups.com
Change By: Andrew Bayer
Status: In Progress Review

andrew.bayer@gmail.com (JIRA)

unread,
Mar 29, 2018, 10:12:02 AM3/29/18
to jenkinsc...@googlegroups.com
 
Re: Cannot evaluate ArrayList.name inside Groovy Sandbox

Well, yeah, that turned out to be pretty simple. PRs up.

jglick@cloudbees.com (JIRA)

unread,
Apr 3, 2018, 6:26:02 PM4/3/18
to jenkinsc...@googlegroups.com

Would never have dreamed that this would be legal Groovy. Ugh.

scm_issue_link@java.net (JIRA)

unread,
Apr 12, 2018, 1:10:02 PM4/12/18
to jenkinsc...@googlegroups.com

Code changed in jenkins
User: Andrew Bayer
Path:
pom.xml
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
http://jenkins-ci.org/commit/script-security-plugin/f7601abde0df3fec15be935ad95473959185f0a4
Log:
[FIXED JENKINS-50470] Treat someList.someField as spread.

See upstream PR at
https://github.com/jenkinsci/groovy-sandbox/pull/46, but the gist is
that Groovy's normal behavior for this is to treat it the same as we
do spread cases - iterate over the list to get the value from each
object in the list and return the resulting list.

andrew.bayer@gmail.com (JIRA)

unread,
Apr 12, 2018, 1:12:01 PM4/12/18
to jenkinsc...@googlegroups.com
 

Will be in next release of script-security, presumably 1.44.
Change By: Andrew Bayer
Status: In Review Resolved
Resolution: Fixed

alex@varju.ca (JIRA)

unread,
May 7, 2018, 9:34:02 PM5/7/18
to jenkinsc...@googlegroups.com
Alex Varju commented on Bug JENKINS-50470
 
Re: Cannot evaluate ArrayList.name inside Groovy Sandbox

I'm seeing very similar behaviour with 1.44.  In my freestyle job I've got this Groovy:

def someList = [1, 2, 3]
println someList.size

When the sandbox is enabled, this ends up throwing:

RejectedAccessException: No such field found: field java.lang.Integer size

Changing the list to contain strings changes the error to:

RejectedAccessException: No such field found: field java.lang.String size

mmicu0@gmail.com (JIRA)

unread,
May 23, 2018, 7:49:02 AM5/23/18
to jenkinsc...@googlegroups.com

Alex Varju, did you solve the issue? I have your same problem.

alex@varju.ca (JIRA)

unread,
May 23, 2018, 12:32:03 PM5/23/18
to jenkinsc...@googlegroups.com

Unfortunately, no. In the case above, I had to refactor my code to use `someList.size()`

Since commenting previously, I've encountered at least one other example of a similar failure:

def tuple = new Tuple2( 'a', 'b' )
println tuple.first

Which results in:

RejectedAccessException: No such field found: field java.lang.String first

And again, changing tuple.first to tuple.getFirst() works around the issue.

alex@varju.ca (JIRA)

unread,
May 23, 2018, 12:32:03 PM5/23/18
to jenkinsc...@googlegroups.com
Alex Varju edited a comment on Bug JENKINS-50470
Unfortunately, no.  In the case above, I had to refactor my code to use ` {{ someList.size() ` }}

Since commenting previously, I've encountered at least one other example of a similar failure:
{noformat}

def tuple = new Tuple2( 'a', 'b' )
println tuple.first
{noformat}
Which results in:
{noformat}

RejectedAccessException: No such field found: field java.lang.String first
{noformat}

 And again, changing {{tuple.first}} to {{tuple.getFirst()}} works around the issue.

burmistrovda@gmail.com (JIRA)

unread,
Jun 29, 2018, 6:40:02 AM6/29/18
to jenkinsc...@googlegroups.com

I faced the same issue at 1.44

 

println 'test,value'.tokenize(',').size

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such field found: field java.lang.String size

It works with 1.42. Workaround is to use `size()` instead

 
This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

smurugesh1686@gmail.com (JIRA)

unread,
Apr 14, 2020, 2:35:06 PM4/14/20
to jenkinsc...@googlegroups.com

I am facing the same issue at 1.71

I am using FolderProperties in Pipeline job

In my pipeline jenkins Code:
      withFolderProperties{ echo "URL STEP 1: ${env.testURL}" }
Getting below error:


org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: No such field found: field java.lang.String

testURL

Any workaround?
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages