1. Messages
  2. Jenkins test

Re: Jenkins test

Murrell, Brian
 

On Wed, 2022-03-02 at 17:29 -0800, dongfeier wrote:
Scripts not permitted to use staticMethod
org.codehaus.groovy.runtime.DefaultGroovyMethods getAt
java.lang.Object java.lang.String.
Ultimately this means that some code in an untrusted shared library is
trying to access a non-whitelisted groovy function.

Administrators can decide whether to approve or reject this
signature. ( http://172.20.18.132:8080/scriptApproval )
You *could* do the above with the security implications it involves,
but the correct solution is to use whitelisted methods.

Error when executing unsuccessful post condition:
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException:
Scripts not permitted to use staticMethod
org.codehaus.groovy.runtime.DefaultGroovyMethods getAt
java.lang.Object java.lang.String
This is the method that is not whitelisted.

        at
org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhiteli
st.rejectStaticMethod(StaticWhitelist.java:279)
        at
org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxIntercepto
r.onGetArray(SandboxInterceptor.java:476)
        at
org.kohsuke.groovy.sandbox.impl.Checker$11.call(Checker.java:484)
        at
org.kohsuke.groovy.sandbox.impl.Checker.checkedGetArray(Checker.java:
489)
        at
com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getArray(SandboxInvok
er.java:45)
        at
com.cloudbees.groovy.cps.impl.ArrayAccessBlock.rawGet(ArrayAccessBloc
k.java:21)
        at notifyBrokenBranch.call(notifyBrokenBranch.groovy:37)
And this is where it's being called from. It's here:

https://github.com/daos-stack/pipeline-lib/blob/03a6dd8f16808094e2ba2971e839707cd690c0a5/vars/notifyBrokenBranch.groovy#L37

It's the use of env[] that is the problem. One solution here is to
move that function to the trusted library at:

https://github.com/daos-stack/trusted-pipeline-lib

But it seems a more correct solution is to replace the env[NAME]
accesses to env."NAME" such as this (completely untested) PR does:

https://github.com/daos-stack/pipeline-lib/pull/291

Cheers,
b.
Join {daos@daos.groups.io to automatically receive all group messages.