org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String

Jenkins JIRA | pjdarton | 1 year ago
  1. 0

    It's possible to create a job that Jenkins won't reload after a restart. i.e. the job "vanishes" after a reboot. A "Multi-configuration" project (aka a matrix job) can set a "Combination Filter" to restrict the combinations of axis values that will be run. This filter is a groovy expression. The job configuration page (and the Jenkins DSL plugin) allows the user to specify a filter of the form (axisName.startsWith("prefix")).implies(otherAxisName=="otherValue") This is valid groovy, and the user is allowed to "save" the result (and it works as one would expect). However, if one later restarts Jenkins, the job fails to reappear, and there's an exception in the Jenkins log saying: {quote}Failed Loading job myMatrixJob org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157) at Script1.run(Script1.groovy:1) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139) at hudson.matrix.FilterScript.evaluate(FilterScript.java:45) at hudson.matrix.FilterScript.apply(FilterScript.java:85) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91) at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638) at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505) at hudson.model.Items.load(Items.java:320) at jenkins.model.Jenkins$17.run(Jenkins.java:2651) at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169) at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282) at jenkins.model.Jenkins$7.runTask(Jenkins.java:904) at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210) at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1176) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:795){quote} Note: This is NOT a bug with the sandbox defaults (that's a separate issue) - the problem is that the security restrictions being applied when Jenkins starts up is different to the security restrictions being applied when Jenkins is running. The user should not be permitted to define a job (via the configuration page) that Jenkins later refuses to load on startup - Jenkins should not discard a job that was previously deemed valid. There are 3 factors here: - the validation is not being applied when the user edits the job, so that the user is not informed that their job definition is illegal when they enter the illegal matrix configuration. - the validation is not being applied when the job is run, so that this "illegal" code is executed despite it being "illegal". - when (on startup) a job is deemed to contain an "illegal" expression, Jenkins hides the job (from the UI) so that the user is unable to edit the job to fix the problem (I would suggest that an illegal job should be loaded and made available for editing, but builds of that job should exit with an error until it was fixed).

    Jenkins JIRA | 1 year ago | pjdarton
    org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String
  2. 0

    It's possible to create a job that Jenkins won't reload after a restart. i.e. the job "vanishes" after a reboot. A "Multi-configuration" project (aka a matrix job) can set a "Combination Filter" to restrict the combinations of axis values that will be run. This filter is a groovy expression. The job configuration page (and the Jenkins DSL plugin) allows the user to specify a filter of the form (axisName.startsWith("prefix")).implies(otherAxisName=="otherValue") This is valid groovy, and the user is allowed to "save" the result (and it works as one would expect). However, if one later restarts Jenkins, the job fails to reappear, and there's an exception in the Jenkins log saying: {quote}Failed Loading job myMatrixJob org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157) at Script1.run(Script1.groovy:1) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139) at hudson.matrix.FilterScript.evaluate(FilterScript.java:45) at hudson.matrix.FilterScript.apply(FilterScript.java:85) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91) at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638) at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505) at hudson.model.Items.load(Items.java:320) at jenkins.model.Jenkins$17.run(Jenkins.java:2651) at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169) at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282) at jenkins.model.Jenkins$7.runTask(Jenkins.java:904) at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210) at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1176) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:795){quote} Note: This is NOT a bug with the sandbox defaults (that's a separate issue) - the problem is that the security restrictions being applied when Jenkins starts up is different to the security restrictions being applied when Jenkins is running. The user should not be permitted to define a job (via the configuration page) that Jenkins later refuses to load on startup - Jenkins should not discard a job that was previously deemed valid. There are 3 factors here: - the validation is not being applied when the user edits the job, so that the user is not informed that their job definition is illegal when they enter the illegal matrix configuration. - the validation is not being applied when the job is run, so that this "illegal" code is executed despite it being "illegal". - when (on startup) a job is deemed to contain an "illegal" expression, Jenkins hides the job (from the UI) so that the user is unable to edit the job to fix the problem (I would suggest that an illegal job should be loaded and made available for editing, but builds of that job should exit with an error until it was fixed).

    Jenkins JIRA | 1 year ago | pjdarton
    org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String
  3. 0

    [JIRA] (JENKINS-39675) unclassified method hudson.plugins.git.GitChangeSetList getMsg

    Google Groups | 3 weeks ago | jmc...@privacystar.com (JIRA)
    org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method hudson.plugins.git.GitChangeSetList getMsg
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0

    Hi, We have the following configuration in a matrix job: {code} <combinationFilter>label.startsWith(&apos;i386&apos;)</combinationFilter> {code} When the [Script Security Plugin|https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin] is installed, we get the following error: {code} SEVERE: Failed Loading job MyJob org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157) at Script1.run(Script1.groovy:1) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139) at hudson.matrix.FilterScript.evaluate(FilterScript.java:45) at hudson.matrix.FilterScript.apply(FilterScript.java:85) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91) at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638) at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505) at hudson.model.Items.load(Items.java:279) at jenkins.model.Jenkins$17.run(Jenkins.java:2673) at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169) at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282) at jenkins.model.Jenkins$7.runTask(Jenkins.java:903) at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210) at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) {code} *Note*: The current _workaround_ is to "_Approve_" the script via [http://<jenkins-url>/scriptApproval/]

    Jenkins JIRA | 2 years ago | Tom Ghyselinck
    org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String
  6. 0

    Hi, We have the following configuration in a matrix job: {code} <combinationFilter>label.startsWith(&apos;i386&apos;)</combinationFilter> {code} When the [Script Security Plugin|https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin] is installed, we get the following error: {code} SEVERE: Failed Loading job MyJob org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157) at Script1.run(Script1.groovy:1) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139) at hudson.matrix.FilterScript.evaluate(FilterScript.java:45) at hudson.matrix.FilterScript.apply(FilterScript.java:85) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91) at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638) at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505) at hudson.model.Items.load(Items.java:279) at jenkins.model.Jenkins$17.run(Jenkins.java:2673) at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169) at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282) at jenkins.model.Jenkins$7.runTask(Jenkins.java:903) at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210) at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) {code} *Note*: The current _workaround_ is to "_Approve_" the script via [http://<jenkins-url>/scriptApproval/]

    Jenkins JIRA | 2 years ago | Tom Ghyselinck
    org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String

    7 unregistered visitors
    Not finding the right solution?
    Take a tour to get the most out of Samebug.

    Tired of useless tips?

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException

      Scripts not permitted to use method java.lang.String startsWith java.lang.String

      at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod()
    2. org.jenkinsci.plugins
      SandboxInterceptor.onMethodCall
      1. org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150)
      2. org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77)
      2 frames
    3. org.kohsuke.groovy
      Checker$checkedCall$0.callStatic
      1. org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103)
      2. org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100)
      3. org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
      3 frames
    4. Groovy
      AbstractCallSite.callStatic
      1. org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50)
      2. org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157)
      2 frames
    5. Unknown
      Script1.run
      1. Script1.run(Script1.groovy:1)
      1 frame
    6. org.jenkinsci.plugins
      GroovySandbox.run
      1. org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139)
      1 frame
    7. Hudson
      Items.load
      1. hudson.matrix.FilterScript.evaluate(FilterScript.java:45)
      2. hudson.matrix.FilterScript.apply(FilterScript.java:85)
      3. hudson.matrix.Combination.evalGroovyExpression(Combination.java:101)
      4. hudson.matrix.Combination.evalGroovyExpression(Combination.java:91)
      5. hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638)
      6. hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505)
      7. hudson.model.Items.load(Items.java:320)
      7 frames
    8. jenkins.model
      Jenkins$17.run
      1. jenkins.model.Jenkins$17.run(Jenkins.java:2651)
      1 frame
    9. init
      Reactor.runTask
      1. org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
      2. org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282)
      2 frames
    10. jenkins.model
      Jenkins$7.runTask
      1. jenkins.model.Jenkins$7.runTask(Jenkins.java:904)
      1 frame
    11. init
      Reactor$Node.run
      1. org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210)
      2. org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
      2 frames
    12. Java RT
      ThreadPoolExecutor$Worker.run
      1. java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1176)
      2. java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
      2 frames