Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15212

More flexible and effective security for Groovy Postbuild

    XMLWordPrintable

Details

    Description

      At the moment, Groovy Postbuild has a checkbox to enable or disable access to build, listener and hudson properties of the BadgeManager.

      Preventing access to these objects does not prevent access to Hudson via e.g. hudson.model.Hudson.instance, e.g. in the following Postbuild script:

      hudson.model.Hudson.instance.doQuietDown()
      

      So while Postbuild is nice and really useful, there is no way to run it in a secure way at the moment.

      Please improve the feasibility of using Groovy Postbuild in a security conscious environment. A few suggestions:

      1. Copy Groovy Plugin's approach of separating Groovy and System Groovy build steps, making the latter only available for configuration to users with ADMINISTER privileges.

      2. Extend the API of BadgeManager. Something like build.keepLog() or build.setDescription(), or accessing a copy of the build variables map, is pretty harmless and can be exposed to any build.

      3. Run "unprivileged" postbuild scripts in a separate process, and evaluate the output/return value (passed e.g. as JSON) in the Hudson environment to set badges and perform other actions. Changes will happen only at the end of Postbuild execution, but that'd be a reasonable price to pay.

      Attachments

        Issue Links

          Activity

            danielbeck Daniel Beck created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Labels security
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-9383 [ JENKINS-9383 ]
            jglick Jesse Glick made changes -
            Assignee wolfs [ wolfs ] Jesse Glick [ jglick ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            URL https://github.com/jenkinsci/groovy-postbuild-plugin/pull/11
            Priority Major [ 3 ] Critical [ 2 ]

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildDescriptor.java
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildSummaryAction.java
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyScriptPath.java
            src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/config.jelly
            src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/global.jelly
            src/main/webapp/classpath-help.html
            src/main/webapp/help-enableGroovyPostBuildSecurity.html
            src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildJenkinsRule.java
            src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorderTest.java
            http://jenkins-ci.org/commit/groovy-postbuild-plugin/00a39a3f1414665f746d58470274ec2a6d23526f
            Log:
            Merge pull request #11 from jglick/script-security

            [FIXED JENKINS-15212] Integrate with Script Security plugin

            Compare: https://github.com/jenkinsci/groovy-postbuild-plugin/compare/853e32dbad11...00a39a3f1414

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildDescriptor.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildSummaryAction.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyScriptPath.java src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/config.jelly src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/global.jelly src/main/webapp/classpath-help.html src/main/webapp/help-enableGroovyPostBuildSecurity.html src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildJenkinsRule.java src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorderTest.java http://jenkins-ci.org/commit/groovy-postbuild-plugin/00a39a3f1414665f746d58470274ec2a6d23526f Log: Merge pull request #11 from jglick/script-security [FIXED JENKINS-15212] Integrate with Script Security plugin Compare: https://github.com/jenkinsci/groovy-postbuild-plugin/compare/853e32dbad11...00a39a3f1414
            scm_issue_link SCM/JIRA link daemon made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            http://jenkins-ci.org/commit/groovy-postbuild-plugin/bd8493379c7979187eecf99da32ffefe23c589b7
            Log:
            JENKINS-15212 Added compatibleSinceVersion to display warnings that upgrading from 1.X requires reconfiguration.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml http://jenkins-ci.org/commit/groovy-postbuild-plugin/bd8493379c7979187eecf99da32ffefe23c589b7 Log: JENKINS-15212 Added compatibleSinceVersion to display warnings that upgrading from 1.X requires reconfiguration.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java
            http://jenkins-ci.org/commit/groovy-postbuild-plugin/6846753d9d994c2c9a0fc654b9ffbce6c2991d6f
            Log:
            JENKINS-15212 removeBadge(s) whitelisted.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java http://jenkins-ci.org/commit/groovy-postbuild-plugin/6846753d9d994c2c9a0fc654b9ffbce6c2991d6f Log: JENKINS-15212 removeBadge(s) whitelisted.
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 145934 ] JNJira + In-Review [ 191703 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-54262 [ JENKINS-54262 ]

            People

              jglick Jesse Glick
              danielbeck Daniel Beck
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: