[JENKINS-72620] Typoing a method name or calling with incorrect parameters yields RejectedAccessException #890
Description
When one is writing unprivileged scripts for Jenkins, there are a whole slew of errors which all get reported from Jenkins as
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
For example, this happens if you have the method name incorrect, forget that a method requires a following block, forget to put commas between function parameters, or this lovely way to trigger the same error that we discovered internally:
callExternallDefinedFunction(
param1: "foo",
param2: "bar",
isFrobnitz=true
)
(That last one was caused by developers jumping back and forth between Jenkins and python code and forgetting when adding a parameter in Jenkins to use colon instead of equals sign)
This seems needlessly hostile to new users or to casual users who write new Jenkinsfiles only rarely; also, if you search for GroovyObject invokeMethod java.lang.String java.lang.Object on stackoverflow you will find many, many recommendations that people whitelist this method when they are confronted with this error. (a really dangerous move!)
I understand that it is likely rather difficult to unwind the interaction between groovy dynamic method resolution and sandbox security that leads to this behavior and replace it with something that results in a groovy.lang.MissingMethodException or other appropriate exception. However, perhaps this quirk could be documented more widely in the plugin documentation so that maybe we stop the knee-jerk "oop, better whitelist this" behavior. Either that, or maybe there's a way to throw an exception with a different message when denying access to groovy.lang.GroovyObject.invokeMethod that could point to further documentation.
Originally reported by 
fizbin, imported from: Typoing a method name or calling with incorrect parameters yields RejectedAccessException
- status: Open
- priority: Major
- component(s): script-security-plugin
- resolution: Unresolved
- votes: 0
- watchers: 1
- imported: 2025-12-09
Raw content of original issue
When one is writing unprivileged scripts for Jenkins, there are a whole slew of errors which all get reported from Jenkins as
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.ObjectFor example, this happens if you have the method name incorrect, forget that a method requires a following block, forget to put commas between function parameters, or this lovely way to trigger the same error that we discovered internally:
callExternallDefinedFunction( param1: "foo", param2: "bar", isFrobnitz=true )(That last one was caused by developers jumping back and forth between Jenkins and python code and forgetting when adding a parameter in Jenkins to use colon instead of equals sign)
This seems needlessly hostile to new users or to casual users who write new Jenkinsfiles only rarely; also, if you search for GroovyObject invokeMethod java.lang.String java.lang.Object on stackoverflow you will find many, many recommendations that people whitelist this method when they are confronted with this error. (a really dangerous move!)
I understand that it is likely rather difficult to unwind the interaction between groovy dynamic method resolution and sandbox security that leads to this behavior and replace it with something that results in a groovy.lang.MissingMethodException or other appropriate exception. However, perhaps this quirk could be documented more widely in the plugin documentation so that maybe we stop the knee-jerk "oop, better whitelist this" behavior. Either that, or maybe there's a way to throw an exception with a different message when denying access to groovy.lang.GroovyObject.invokeMethod that could point to further documentation.