org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException

There are no available Samebug tips for this exception. Do you have an idea how to solve this issue? A short tip would help users who saw this issue last week.

  • Hi, We have the following configuration in a matrix job: {code} <combinationFilter>label.startsWith(&apos;i386&apos;)</combinationFilter> {code} When the [Script Security Plugin|https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin] is installed, we get the following error: {code} SEVERE: Failed Loading job MyJob org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157) at Script1.run(Script1.groovy:1) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139) at hudson.matrix.FilterScript.evaluate(FilterScript.java:45) at hudson.matrix.FilterScript.apply(FilterScript.java:85) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91) at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638) at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505) at hudson.model.Items.load(Items.java:279) at jenkins.model.Jenkins$17.run(Jenkins.java:2673) at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169) at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282) at jenkins.model.Jenkins$7.runTask(Jenkins.java:903) at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210) at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) {code} *Note*: The current _workaround_ is to "_Approve_" the script via [http://<jenkins-url>/scriptApproval/]
    via by Tom Ghyselinck,
  • It's possible to create a job that Jenkins won't reload after a restart. i.e. the job "vanishes" after a reboot. A "Multi-configuration" project (aka a matrix job) can set a "Combination Filter" to restrict the combinations of axis values that will be run. This filter is a groovy expression. The job configuration page (and the Jenkins DSL plugin) allows the user to specify a filter of the form (axisName.startsWith("prefix")).implies(otherAxisName=="otherValue") This is valid groovy, and the user is allowed to "save" the result (and it works as one would expect). However, if one later restarts Jenkins, the job fails to reappear, and there's an exception in the Jenkins log saying: {quote}Failed Loading job myMatrixJob org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.lang.String startsWith java.lang.String at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100) at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:50) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:157) at Script1.run(Script1.groovy:1) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:139) at hudson.matrix.FilterScript.evaluate(FilterScript.java:45) at hudson.matrix.FilterScript.apply(FilterScript.java:85) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:101) at hudson.matrix.Combination.evalGroovyExpression(Combination.java:91) at hudson.matrix.MatrixProject.rebuildConfigurations(MatrixProject.java:638) at hudson.matrix.MatrixProject.onLoad(MatrixProject.java:505) at hudson.model.Items.load(Items.java:320) at jenkins.model.Jenkins$17.run(Jenkins.java:2651) at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169) at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:282) at jenkins.model.Jenkins$7.runTask(Jenkins.java:904) at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:210) at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1176) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:795){quote} Note: This is NOT a bug with the sandbox defaults (that's a separate issue) - the problem is that the security restrictions being applied when Jenkins starts up is different to the security restrictions being applied when Jenkins is running. The user should not be permitted to define a job (via the configuration page) that Jenkins later refuses to load on startup - Jenkins should not discard a job that was previously deemed valid. There are 3 factors here: - the validation is not being applied when the user edits the job, so that the user is not informed that their job definition is illegal when they enter the illegal matrix configuration. - the validation is not being applied when the job is run, so that this "illegal" code is executed despite it being "illegal". - when (on startup) a job is deemed to contain an "illegal" expression, Jenkins hides the job (from the UI) so that the user is unable to edit the job to fix the problem (I would suggest that an illegal job should be loaded and made available for editing, but builds of that job should exit with an error until it was fixed).
    via by pjdarton,
  • Inlining the script https://github.com/arun-gupta/javaee7-docker-workflow/blob/master/Jenkinsfile in Jenkins workflow builds the project successfully. But referring as a SCM script gives the following error: First time build. Skipping changelog. Running: Allocate node : Start Running on master in /var/jenkins_home/jobs/hello2/workspace Running: Allocate node : Body : Start Running: Allocate node : Body : End Running: Allocate node : End Running: End of Workflow org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:60) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15) at WorkflowScript.run(WorkflowScript:2) at Unknown.Unknown(Unknown) at ___cps.transform___(Native Method) at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:69) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79) at sun.reflect.GeneratedMethodAccessor193.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72) at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21) at com.cloudbees.groovy.cps.Next.step(Next.java:58) at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:145) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30) at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:271) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:71) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:180) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:178) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Finished: FAILURE
    via by arungupta,
    • org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.Binding hasVariable java.lang.<span class="code-object" style="color: #910091">String</span> at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:176)

    Users with the same issue

    Unknown visitor
    Unknown visitor1 times, last one,
    Unknown visitor
    Unknown visitor1 times, last one,
    Unknown visitor
    Unknown visitor1 times, last one,
    Unknown visitor
    Unknown visitor1 times, last one,