I don't think it is safe to whitelist the java File object or its methods.
Is there a reason you're not relying on the ability of the dir step to
create a directory if one does not exist? Refer to
https://stackoverflow.com/questions/42654875/jenkins-pipeline-create-directory
for the stackoverflow comments.
I wrote the following small test that seems to create a directory, add
contents, then remove the directory, using the DSL rather than using java
File methods.
node('!windows') {
echo 'entering'
sh 'ls -alrR'
echo 'deleting contents'
deleteDir()
echo 'after content delete'
sh 'ls -alrR'
dir('some-dir') {
sh 'date >> datefile'
}
echo 'after content create'
sh 'ls -alrR'
}
On Wed, Mar 20, 2019 at 8:24 PM Jan Monterrubio <[email protected]>
wrote:
> There’s an admin view for white listing method calls. If you don’t have
> admin access you can’t see it.
>
> On Wed, Mar 20, 2019 at 14:03 Guybrush Threepwood <[email protected]>
> wrote:
>
>> hello I have a Jenkins fileas part of a multibranch pipeline But I'm
>> getting seccurityissues when trying to create a directory inside the
>> workspace how can either disable the sandbox for this pipeline or whitelist
>> the methods I need to use from my code
>> Thanks.
>> This is the code:
>> ============================================================
>> import java.io.File;
>> import java.io.IOException;
>> import org.apache.commons.io.FileUtils;
>>
>> //autocancelled = false
>> node ('AnsibleBuild') {
>> try {
>> checkout scm
>> def versions = readJSON file: 'versions.json'
>> stage('Getting Python source Code') {
>> echo " before del try"
>> try {
>> echo "inside try";
>> *File f = new File("python");*
>> echo "after new file";
>> //FileUtils.cleanDirectory(f);
>> //clean out directory (this is optional -- but good know)
>> FileUtils.forceDelete(f);
>> //delete directory
>> //FileUtils.forceMkdir(f);
>> //create directory
>> }
>> catch (IOException e) {
>> echo "pinazo cleaning python"
>> echo e.getStackTrace();
>> } // catch delete dir
>> echo "Despues del try"
>> sh 'pwd'
>> sh 'ls -la'
>> sh 'mkdir python'
>> dir("python") {
>> echo 'Downloading Python code
>> from: https://www.python.org/ftp/python/3.7.2/Python-3.7.2.tgz'
>> sh 'curl
>> https://www.python.org/ftp/python/3.7.2/Python-3.7.2.tgz -o
>> Python-3.7.2.tgz'
>> sh 'file Python-3.7.2.tgz' //
>> needs to be checked that we downloaded a tgz file
>> sh 'tar -xzvf Python-3.7.2.tgz'
>> } //dir python
>> } // stage
>> currentBuild.result = 'SUCCESS'
>> } //try node
>> catch (e) {
>> echo "General Fostion";
>> echo "trace General" + e.getStackTrace();
>> currentBuild.result = 'FAILURE'
>> } //end catch
>> try {
>> echo "Cleaning WS"
>> dir(python) {
>> deleteDir()
>> }
>> } //try clena WS
>> catch (e) {
>> echo "Error Cleaning WS";
>> echo "trace cleaning" + e.getStackTrace();
>> currentBuild.result = 'FAILURE'
>> } //catch clena WS
>> } //node
>> ========================================================
>>
>> And I'm getting error: for line 14
>>
>> trace
>> General[org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:184),
>>
>> org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:170),
>> org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:197),
>> org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:202),
>>
>> com.cloudbees.groovy.cps.sandbox.SandboxInvoker.constructorCall(SandboxInvoker.java:21),
>> WorkflowScript.run(WorkflowScript:14), ___cps.transform___(Native Method),
>> com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:96),
>>
>> com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82),
>> sun.reflect.GeneratedMethodAccessor148.invoke(Unknown Source),
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43),
>> java.lang.reflect.Method.invoke(Method.java:498),
>> com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72),
>> com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21),
>> com.cloudbees.groovy.cps.Next.step(Next.java:83),
>> com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174),
>> com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163),
>> org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:129),
>>
>> org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:268),
>> com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163),
>> org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$101(SandboxContinuable.java:34),
>>
>> org.jenkinsci.plugins.workflow.cps.SandboxContinuable.lambda$run0$0(SandboxContinuable.java:59),
>>
>> org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:136),
>>
>> org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:58),
>>
>> org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:182),
>>
>> org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:332),
>>
>> org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$200(CpsThreadGroup.java:83),
>>
>> org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:244),
>>
>> org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:232),
>>
>> org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64),
>> java.util.concurrent.FutureTask.run(FutureTask.java:266),
>> hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131),
>>
>> jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28),
>>
>> jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59),
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511),
>> java.util.concurrent.FutureTask.run(FutureTask.java:266),
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149),
>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624),
>> java.lang.Thread.run(Thread.java:748)]
>>
>> Any ideas how to fix this. what is the right way of targeting this kind
>> of issue?
>> Thanks.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-users/ec75388f-8a03-424f-a9ca-43fd1d9ba452%40googlegroups.com
>> <https://groups.google.com/d/msgid/jenkinsci-users/ec75388f-8a03-424f-a9ca-43fd1d9ba452%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/CADgiF9JDdznaJaQ3wP%2BRA8_YXRcc%3DMq_JtXNU6R56OBUKSFaLg%40mail.gmail.com
> <https://groups.google.com/d/msgid/jenkinsci-users/CADgiF9JDdznaJaQ3wP%2BRA8_YXRcc%3DMq_JtXNU6R56OBUKSFaLg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
Thanks!
Mark Waite
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtEEgQ1gS5%3DmvP79YDcpUY2w-n0VEUSpc-9dy_LpFc01wQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
