[JIRA] (JENKINS-42192) permissive-security-script plugin should not log full stacktrace

[squalou.jenkins@gmail.com (JIRA)]

squalou jenkins created an issue

Jenkins / JENKINS-42192 permissive-security-script plugin should not log full stacktrace Issue Type: Bug Assignee: Oliver Gondža Components: permissive-script-security-plugin Created: 2017/Feb/20 10:00 AM Environment: jenkins 2.32.2 (server on redhat linux 7.2) Priority: Minor Reporter: squalou jenkins Hi, the plugin runs perfectly BUT it has a tendency to spam jenkins' log files with useless stacktraces. These messages are on level 'INFO', for sure, but it's still a lot of noise for nothing. INFO: Unsecure signature found: staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:190) at org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist.permitsStaticMethod(PermissiveWhitelist.java:63) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist.permitsStaticMethod(ProxyWhitelist.java:140) at org.jenkinsci.plugins.workflow.cps.GroovyClassLoaderWhitelist.permitsStaticMethod(GroovyClassLoaderWhitelist.java:60) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:139) at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:180) at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:177) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:91) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixName(FunctionCallBlock.java:77) at sun.reflect.GeneratedMethodAccessor127.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72) at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21) at com.cloudbees.groovy.cps.Next.step(Next.java:58) at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30) Have the exception message would be enough : INFO: Unsecure signature found: staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint It sure is a minor issue ... yet when looking for real errors in log files it's painful to skip all these stacks. Why not adding the full log message when logging level set to DEBUG. Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace I agree, the reason I want it to print full stacktrace is admins have an idea where it came from so they can do something about that. BTW, I would like to discourage you from using this plugin to circumvent pipeline security - that is not what is meant to do.

Add Comment

[squalou.jenkins@gmail.com (JIRA)]

squalou jenkins commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

What was it meant to do then ? half joking, but seriously : you can call a 'sh' which will rm -rf anything, with no security issue, so I personally think that the 'approval' thing is just a useless pain. Great thing that this plugin is available. I use the plugin to have things work for a while, and once all the typical jobs have run (without blocking) : I store the approced lists and remove the plugin. When managing over 80 instances, you can imagine how this plugin is helpful !

Add Comment

[squalou.jenkins@gmail.com (JIRA)]

squalou jenkins edited a comment on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

What was it meant to do then ? :-)

half joking, but seriously : you can call a 'sh' which will rm -rf anything, with no security issue, so I personally think that the 'approval' thing is just a useless pain. Great thing that this plugin is available.

I use the plugin to have things work for a while, and once all the typical jobs have run (without blocking) : I store the approced approved lists and remove the plugin. When managing over 80 instances, you can imagine how this plugin is helpful !

Add Comment

[regs@akom.net (JIRA)]

Alexander Komarov commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I'm still seeing this today with plugin version 0.3 and Jenkins 2.141 : Sep 11, 2018 8:51:24 AM INFO org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist$Mode$2 act

Unsecure signature found: staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint

No matter how many times I've approved this signature in scriptApproval, this still keeps appearing.

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[regs@akom.net (JIRA)]

Alexander Komarov updated JENKINS-42192

Jenkins / JENKINS-42192

permissive-security-script plugin should not log full stacktrace

Change By: Alexander Komarov Status: Resolved In Review

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace Alexander Komarov, based on the stacktrace it appears your config is -Dpermissive-script-security.enabled=true and not -Dpermissive-script-security.enabled=no_security. Put differently, the plugin is still expected to be chatty about sandbox violations when configured with true, no_security is here to turn it off completely. Be sure to check the plugin page for implications: https://plugins.jenkins.io/permissive-script-security

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža updated JENKINS-42192

Jenkins / JENKINS-42192

permissive-security-script plugin should not log full stacktrace

Change By: Oliver Gondža Status: In Review Resolved

Add Comment

[regs@akom.net (JIRA)]

Alexander Komarov commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace Oliver Gondža thank you for the clarification, I failed to read the docs carefully.

Add Comment

[prachikhadke@gmail.com (JIRA)]

Prachi Khadke commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

Oliver Gondža setting -Dpermissive-script-security.enabled=no_security means turning off security completely. Isn't there a way to keep the security turned on but still prevent the scriptApproval from appearing every time. I've approved other signatures for my pipeline scripts in the past without having to re-approve repeatedly. The fact that the scriptApproval keeps reappearing despite explicit approval seems like a bug.

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

Prachi Khadke, Can you be more specific? What this plugin does is turning the security off. If you want it on and there is something that does not work the way you like, I believe that is a FRE for script-security plugin itself.

Add Comment

[prachikhadke@gmail.com (JIRA)]

Prachi Khadke commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I am having the same problem as Alexander Komarov. ` Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.`   I have approved the signature several times without any difference. My build still fails with the same error. Also tried setting `-Dpermissive-script-security.enabled=no_security` in the `/etc/sysconfig/jenkins` config file to no avail.    But my point is the fact that the build failing with the error above despite approving the signature is a bug.

Add Comment

[prachikhadke@gmail.com (JIRA)]

Prachi Khadke edited a comment on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I am having the same problem as Alexander Komarov.

{code:java}

` Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint.

[ Administrators can decide whether to approve or reject this signature. |https://jenkins-b2b.media.weather.com/scriptApproval]` {code}

I have approved the signature several times without any difference. My build still fails with the same error. Also tried setting `

{code:java} -Dpermissive-script-security.enabled=no_security ` {code} in the ` {code:java} /etc/sysconfig/jenkins ` {code}

config file to no avail.    But my point is the fact that the build failing with the error above despite approving the signature is a bug.

Add Comment

[prachikhadke@gmail.com (JIRA)]

Prachi Khadke edited a comment on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I am having the same problem as Alexander Komarov. {code:java} Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature.

{code}

I have approved the signature several times without any difference. My build still fails with the same error. Also tried setting {code:java} -Dpermissive-script-security.enabled=no_security{code} in the {code:java} /etc/sysconfig/jenkins{code} config file to no avail.    But my point is the fact that the build failing with the error above despite approving the signature is a bug.

Add Comment

[prachikhadke@gmail.com (JIRA)]

Prachi Khadke edited a comment on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I am having the same problem as Alexander Komarov. {code:java} Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature. {code} I have approved the signature several times without any difference. My build still fails with the same error. Also tried setting {code:java} -Dpermissive-script-security.enabled=no_security{code} in the {code:java} /etc/sysconfig/jenkins{code} config file to no avail.

But my point is the fact that the build failing with the error above despite approving the signature is a bug. I shouldn't have to disable permissive script security for my builds to run.

Add Comment

[prachikhadke@gmail.com (JIRA)]

Prachi Khadke edited a comment on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I am having the same problem as Alexander Komarov. {code:java} Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature. {code} I have approved the signature several times without any difference. My build still fails with the same error. Also tried setting {code:java} -Dpermissive-script-security.enabled=no_security{code} in the {code:java} /etc/sysconfig/jenkins{code} config file to no avail.

But my point is the fact that the build failing with the error above despite approving the signature is a bug. I shouldn't have to disable permissive script security for my builds to run. And I should be able to select operations that I can explicitly allow to run within the sandbox.

Add Comment

[prachikhadke@gmail.com (JIRA)]

Prachi Khadke edited a comment on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I am having the same problem as Alexander Komarov. {code:java} Scripts not permitted to use staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint. Administrators can decide whether to approve or reject this signature. {code} I have approved the signature several times without any difference. My build still fails with the same error. Also tried setting {code:java} -Dpermissive-script-security.enabled=no_security{code} in the {code:java} /etc/sysconfig/jenkins{code} config file to no avail.

But my point is the fact that the build failing with the error above despite approving the signature is a bug. I shouldn't have to disable permissive script security for my builds to run. And I should be able to select approve operations that I can explicitly allow to run within the sandbox.

Add Comment

[sharkannon@gmail.com (JIRA)]

Stephen Herd commented on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I believe one of the most recent plugin changes to Jenkins has changed this behavior since this used to work just fine but in the last week or so.  Unfortunatly I'm not sure which plugin may be conflicting with the permissive script plugin.   Verisons: Jenkins: 1.164.2 LTS Permissive Script Security Plugin: 0.3 Script Security Plugin: 1.58

Add Comment

[sharkannon@gmail.com (JIRA)]

Stephen Herd edited a comment on JENKINS-42192

Re: permissive-security-script plugin should not log full stacktrace

I believe one of the most recent plugin changes to Jenkins has changed this behavior since this used to work just fine but in the last week or so.  Unfortunatly I'm not sure which plugin may be conflicting with the permissive script plugin.   Verisons: Jenkins: 1.164.2 LTS Permissive Script Security Plugin: 0.3 Script Security Plugin: 1.58

We have about 30 other plugins as well, just thought these would be the most relavent.

Add Comment