Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15212

More flexible and effective security for Groovy Postbuild

      At the moment, Groovy Postbuild has a checkbox to enable or disable access to build, listener and hudson properties of the BadgeManager.

      Preventing access to these objects does not prevent access to Hudson via e.g. hudson.model.Hudson.instance, e.g. in the following Postbuild script:

      hudson.model.Hudson.instance.doQuietDown()
      

      So while Postbuild is nice and really useful, there is no way to run it in a secure way at the moment.

      Please improve the feasibility of using Groovy Postbuild in a security conscious environment. A few suggestions:

      1. Copy Groovy Plugin's approach of separating Groovy and System Groovy build steps, making the latter only available for configuration to users with ADMINISTER privileges.

      2. Extend the API of BadgeManager. Something like build.keepLog() or build.setDescription(), or accessing a copy of the build variables map, is pretty harmless and can be exposed to any build.

      3. Run "unprivileged" postbuild scripts in a separate process, and evaluate the output/return value (passed e.g. as JSON) in the Hudson environment to set badges and perform other actions. Changes will happen only at the end of Postbuild execution, but that'd be a reasonable price to pay.

          [JENKINS-15212] More flexible and effective security for Groovy Postbuild

          Code changed in jenkins
          User: ikedam
          Path:
          pom.xml
          src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildDescriptor.java
          src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java
          src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildSummaryAction.java
          src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyScriptPath.java
          src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/config.jelly
          src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/global.jelly
          src/main/webapp/classpath-help.html
          src/main/webapp/help-enableGroovyPostBuildSecurity.html
          src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildJenkinsRule.java
          src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorderTest.java
          http://jenkins-ci.org/commit/groovy-postbuild-plugin/00a39a3f1414665f746d58470274ec2a6d23526f
          Log:
          Merge pull request #11 from jglick/script-security

          [FIXED JENKINS-15212] Integrate with Script Security plugin

          Compare: https://github.com/jenkinsci/groovy-postbuild-plugin/compare/853e32dbad11...00a39a3f1414

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildDescriptor.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildSummaryAction.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyScriptPath.java src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/config.jelly src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/global.jelly src/main/webapp/classpath-help.html src/main/webapp/help-enableGroovyPostBuildSecurity.html src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildJenkinsRule.java src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorderTest.java http://jenkins-ci.org/commit/groovy-postbuild-plugin/00a39a3f1414665f746d58470274ec2a6d23526f Log: Merge pull request #11 from jglick/script-security [FIXED JENKINS-15212] Integrate with Script Security plugin Compare: https://github.com/jenkinsci/groovy-postbuild-plugin/compare/853e32dbad11...00a39a3f1414

          Code changed in jenkins
          User: ikedam
          Path:
          pom.xml
          http://jenkins-ci.org/commit/groovy-postbuild-plugin/bd8493379c7979187eecf99da32ffefe23c589b7
          Log:
          JENKINS-15212 Added compatibleSinceVersion to display warnings that upgrading from 1.X requires reconfiguration.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml http://jenkins-ci.org/commit/groovy-postbuild-plugin/bd8493379c7979187eecf99da32ffefe23c589b7 Log: JENKINS-15212 Added compatibleSinceVersion to display warnings that upgrading from 1.X requires reconfiguration.

          Code changed in jenkins
          User: ikedam
          Path:
          src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java
          http://jenkins-ci.org/commit/groovy-postbuild-plugin/6846753d9d994c2c9a0fc654b9ffbce6c2991d6f
          Log:
          JENKINS-15212 removeBadge(s) whitelisted.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java http://jenkins-ci.org/commit/groovy-postbuild-plugin/6846753d9d994c2c9a0fc654b9ffbce6c2991d6f Log: JENKINS-15212 removeBadge(s) whitelisted.

            jglick Jesse Glick
            danielbeck Daniel Beck
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: