Scripts not permitted to use new java.util.Properties

1 minute readKnowledge base

Issue

After upgrading to CloudBees CI version 2.361.2.2 (see CloudBees CI release notes), jobs that call shared library code fail with Scripts not permitted to use new java.util.Properties

Scripts not permitted to use new java.util.Properties. Administrators can decide whether to approve or reject this signature.
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.util.Properties
	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:238)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:178)
	at org.kohsuke.groovy.sandbox.impl.Checker$18.call(Checker.java:934)
	at org.kohsuke.groovy.sandbox.impl.Checker.preCheckedCast(Checker.java:939)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCast(Checker.java:838)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.cast(SandboxInvoker.java:58)
	at test.call(test.groovy:3)
	at test.call(test.groovy)

Environment

Resolution

This is a bug tracked by JENKINS-70108. Upgrade to workflow-cps-plugin 3581.v2b_e4c99c76ed or later.

This fix was part of CloudBees CI on modern cloud platforms - Managed controller 2.375.3.3, CloudBees CI on traditional platforms 2.375.3.3, and newer.

Workaround

This happens when the shared library code causes a cast from Map to Properties.

    void call(Map arguments = [:]) {
    sh 'touch dockerfile'
    Properties p = readProperties(file : 'dockerfile')
}

instead try something like

def p = readProperties(file : 'dockerfile')

or

Map p = readProperties(file : 'dockerfile')

Tested product/plugin versions

CloudBees CI - Modern cloud platforms workflow-cps : 3536.vb_8a_6628079d5

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.