-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
Any
Jenkins should set a SecurityManager and explicity trap out calls to System.exit from plugins.
This would prevent eg. the following script from taking out the whole web container:
System.exit(0)
Groovy even provides a NoExitSecurityManager for this purpose.
[JENKINS-26862] Jenkins should set a SecurityManager (prevent rogue scripts exiting)
FTR https://jenkins.io/security/advisory/2017-04-10/ so this can probably be Won't Fixed? A security manager alone won't prevent all the evilness in scripts, there's no way around sandboxing or admin approval.
Think beyond the headline and into the description - whilst a 'security manager' is the solution, this is not really about security but rather more about preventing a casual or accidental System.exit placed in a script from exiting the whole Jenkins and causing an unintended outage. Of course it can likely be circumvented with determination. I can't think of any situation where System.exit would be desirable and the given securitymanager traps this. It's a simple thing to do which will save teams from their own accidents. WONTFIX would be rather disappointing.
Ed Randall
added a comment - - edited Think beyond the headline and into the description - whilst a 'security manager' is the solution, this is not really about security but rather more about preventing a casual or accidental System.exit placed in a script from exiting the whole Jenkins and causing an unintended outage. Of course it can likely be circumvented with determination. I can't think of any situation where System.exit would be desirable and the given securitymanager traps this. It's a simple thing to do which will save teams from their own accidents. WONTFIX would be rather disappointing. abayer recently identified a plugin that did this for no real reason; this would have helped.
Wouldn't it suffice to fix plugins so they use Script Security Plugin for everything groovy?