Jenkins管道 - 出现安全错误,如何防止错误被引发?

时间:2016-10-19 10:57:02

标签: jenkins groovy jenkins-pipeline

我正在Jenkins管道中编写一个Android构建prcoess作为代码。 脚本的相关部分是:

def notifyStarted() {
  // send to Slack
  slackSend (channel: '#slack-test', color: 'warning', message: "STARTED: Job '${env.JOB_NAME} [${env.BUILD_NUMBER}]' (${env.BUILD_URL})")
}
def get_current_time_date() {
    Date date = new Date();   // given date
    Calendar calendar = GregorianCalendar.getInstance(); // creates a new calendar instance
    calendar.setTime(date);   // assigns calendar to given date
    TIMEH = calendar.get(Calendar.HOUR_OF_DAY); // gets hour in 24h format
    TIMEM = calendar.get(Calendar.MINUTE);
    TIMES = calendar.get(Calendar.SECOND);
    newdate = date.format( 'yyyy-MM-dd' );
    def result = newdate + '%' + TIMEH + ':' + TIMEM + ':' + TIMES
    result
}
// Mixpanel parameters

// End of Mixpanel parameters

node ('master') {
    notifyStarted()
    sh '( git reset --hard; git clean -fxd; git tag -d $(git tag) ) &>/dev/null || true'
    checkout scm
    MP_VERSION_NAME = sh '(git tag | grep '^[0-9]' | tail -n 1)'
    MP_API_KEY = "cXXXXXXXXXf"
    MP_API_SECRET = "4XXXXXXXXX4"
    MP_EXPIRE = "1588896000"
    MP_APP_PLATFORM = "Android"
    MP_BASE_URL = "http://mixpanel.com/api/2.0/annotations/create?"
    //RELEASE_DATE =  get_current_time_date()
    MP_RELEASE_NOTES = ""
    DESCRIPTION = "${MP_APP_PLATFORM}%v${MP_VERSION_NAME}${MP_RELEASE_NOTES}"
    REQUEST_URL = "api_key=${MP_API_KEY}&date=${RELEASE_DATE}&description=${DESCRIPTION}&expire=${MP_EXPIRE}"
    REQUEST_URL_NO_AMPERSAND = REQUEST_URL.replaceAll('&','')
    REQUEST_URL_API_SECRET = "${REQUEST_URL_NO_AMPERSAND}${MP_API_SECRET}"
    SIGNATURE = "md5 -q -s ${REQUEST_URL_API_SECRET}".execute().text
    CURL_COMMAND = "${MP_BASE_URL}${REQUEST_URL}&sig=${SIGNATURE}".replaceAll(' ','%20')
    def cwd = pwd()
    stage ('Compilation environement preparation') {
        // Build parameters
        NDK_VER="r12b"
        SDK_VER="r24.4.1"
        GRADLE_USER_HOME="${cwd}/.gradle"
        NDK_DIR="${GRADLE_USER_HOME}/android-ndk-${NDK_VER}"
        SDK_DIR="${GRADLE_USER_HOME}/android-sdk-linux"
        SDK_TOOLS="${SDK_DIR}/tools"
        AAPT="${SDK_DIR}/build-tools/23.0.3"

运行构建时,出现以下错误:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method java.lang.String xor java.util.ArrayList
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:113)
    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
    at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)
    at WorkflowScript.run(WorkflowScript:30)
    at ___cps.transform___(Native Method)
    at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:48)
    at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
    at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
    at sun.reflect.GeneratedMethodAccessor243.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
    at com.cloudbees.groovy.cps.impl.CollectionLiteralBlock$ContinuationImpl.dispatch(CollectionLiteralBlock.java:55)
    at com.cloudbees.groovy.cps.impl.CollectionLiteralBlock$ContinuationImpl.item(CollectionLiteralBlock.java:45)
    at sun.reflect.GeneratedMethodAccessor244.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
    at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:50)
    at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
    at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
    at sun.reflect.GeneratedMethodAccessor243.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
    at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
    at com.cloudbees.groovy.cps.Next.step(Next.java:58)
    at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
    at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
    at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
    at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
    at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
    at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:163)
    at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:324)
    at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:78)
    at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:236)
    at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:224)
    at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:63)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
    at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE

我认为这个问题与get_current_time_date函数有关,但我不确定如何。

我已经在网上看到了错误,发现我可以去Jenkins - >管理Jenkins - >进程内脚本批准并批准某些代码运行,但我如何防止这种情况发生?我不确定哪个代码(满分为3个)或哪个签名(满分为3个)是我应该批准的代码,无论如何我希望管道能够自动运行,无需人工干预。

知道导致此错误的原因是什么?

2 个答案:

答案 0 :(得分:1)

将您的逻辑/代码移动到共享库代码,它将自动被信任。

https://jenkins.io/doc/book/pipeline/shared-libraries/#global-shared-libraries

“这些库被认为是“受信任的”:它们可以在Java,Groovy,Jenkins内部API,Jenkins插件或第三方库中运行任何方法。这使您可以定义将个别不安全的API封装在更高级别的API中的库。可以在任何管道中安全使用的水平包装器”

答案 1 :(得分:0)

正如您所提到的,您需要在[{"IdEmpresa":1,"Nombre":"Test","URL":"http:/localhost:8080/","Activo":true},IdEmpresa":2,"Nombre":"Test2,","URL":"http://localhost:8081/","Activo":true}] 中手动批准某些方法签名。它是一个安全系统,可以对Groovy代码执行进行沙盒化,因此您不会执行危险/恶意代码。你无法真正避免它,但是你只需要批准每个签名,而不是每次运行。

简而言之,手动批准签名,直到你完全对待它们,然后你应该没事。