4

In a jenkinsfile using a shared library (configured on a jenkins folder/untrusted) I have the following line:

def itemTime = Instant.parse("2018-02-27T13:33:36Z")

When I run my pipeline I get:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod java.time.Instant parse java.lang.CharSequence
    at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:189)
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:150)
    at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:184)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:188)

Of course I can manually approve the script method:

staticMethod java.time.Instant parse java.lang.CharSequence

on the Jenkins master and I also looked at:

Jenkins CI Pipeline Scripts not permitted to use method groovy.lang.GroovyObject

But:

  1. Why is that method blacklisted in the first place?
  2. How do I parse the above date using only white listed methods?
u123
  • 15,603
  • 58
  • 186
  • 303

1 Answers1

6

It's not that this method is blacklisted - Jenkins' Security Plugin requires whitelisting methods that can be used in Groovy sandbox. Here you can find a list of all methods whitelisted by default:

https://github.com/jenkinsci/script-security-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist

The reason behind this is to provide highest possible security when running Jenkins builds. If all methods were available by default, users could run malicious scripts that break other builds or Jenkins server in general.

Of course the downside is that Jenkins Security Plugin developers cannot think about all possible methods that should be whitelisted, and that's why script approval option was gave to Jenkins administrators - anytime RejectedAccessException is thrown in the build, in-process script approval awaits with the method signature to approve it and whitelist for later usage.

None method from Instant class is whitelisted, even things like 

Instant.now();

that does not cause any side-effects and returns immutable object. But this is the price of cut-all policy and allow just a small (~550) subset of methods.

Answering your second question - approving Instant.parse() is actually the only way to proceed. If you try:

Date.parse("yyyy-MM-dd'T'HH:mm:ssZ", "2018-02-27T13:33:36Z")

or 

new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ").parse("2018-02-27T13:33:36Z")

you will get another RejectedAccessException and method signature to approve, so approving Instant.parse() once and using it anytime is the most effective way.

Szymon Stepniak
  • 40,216
  • 10
  • 104
  • 131
  • 2
    Approve what you need and file a pull request against `generic-whitelist` to add anything you felt should have been there to begin with. – Jesse Glick Apr 17 '18 at 20:15
  • It was [very easy to submit this](https://github.com/jenkinsci/script-security-plugin/pull/242) – danblack Apr 05 '19 at 05:14