Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15212

More flexible and effective security for Groovy Postbuild




      At the moment, Groovy Postbuild has a checkbox to enable or disable access to build, listener and hudson properties of the BadgeManager.

      Preventing access to these objects does not prevent access to Hudson via e.g. hudson.model.Hudson.instance, e.g. in the following Postbuild script:


      So while Postbuild is nice and really useful, there is no way to run it in a secure way at the moment.

      Please improve the feasibility of using Groovy Postbuild in a security conscious environment. A few suggestions:

      1. Copy Groovy Plugin's approach of separating Groovy and System Groovy build steps, making the latter only available for configuration to users with ADMINISTER privileges.

      2. Extend the API of BadgeManager. Something like build.keepLog() or build.setDescription(), or accessing a copy of the build variables map, is pretty harmless and can be exposed to any build.

      3. Run "unprivileged" postbuild scripts in a separate process, and evaluate the output/return value (passed e.g. as JSON) in the Hudson environment to set badges and perform other actions. Changes will happen only at the end of Postbuild execution, but that'd be a reasonable price to pay.


        Issue Links


            danielbeck Daniel Beck created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Labels security
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-9383 [ JENKINS-9383 ]
            jglick Jesse Glick made changes -
            Assignee wolfs [ wolfs ] Jesse Glick [ jglick ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            URL https://github.com/jenkinsci/groovy-postbuild-plugin/pull/11
            Priority Major [ 3 ] Critical [ 2 ]
            scm_issue_link SCM/JIRA link daemon made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 145934 ] JNJira + In-Review [ 191703 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-54262 [ JENKINS-54262 ]


              jglick Jesse Glick
              danielbeck Daniel Beck
              2 Vote for this issue
              4 Start watching this issue