Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

XMLWordPrintable

      Currently CpsScmFlowDefinition enforces sandbox mode on the grounds that whole-script approval is unrealistic (an administrator would need to approve every SCM revision, and Jenkins cannot automatically approve revisions like it could from GUI changes to a CpsFlowDefinition by an administrator).

      There should however be an option to simply trust the script as it comes from the SCM. This could be checked by default if Jenkins were unsecured; for a secured Jenkins, the default should remain to use the sandbox, though you could switch to trusted mode with a stern warning in form validation explaining that you are responsible for auditing all changes to that SCM repository, and noting that attackers with SCM access could take over control of Jenkins in ways that might make auditing difficult. (For example, someone with push access to a Git repository could push a script which obtains the API token of a legitimate Jenkins administrator, mails it to the attacker, then deletes the current build record; and finally force-push the attacking script out of existence except via the reflog.)

      Pending such an option, the workaround is given by the tutorial here: define a CpsFlowDefinition with an approved script that checks out the SCM and uses load to run it. This has the same effect at the price of more awkward configuration.

        1. Bildschirmfoto 2017-11-16 um 10.34.46.png
          Bildschirmfoto 2017-11-16 um 10.34.46.png
          267 kB

          [JENKINS-28178] Option to disable sandbox in CpsScmFlowDefinition

          Jesse Glick created issue -
          Ed Holzwarth made changes -
          Priority Original: Minor [ 4 ] New: Major [ 3 ]
          Jesse Glick made changes -
          Description Original: Currently {{CpsScmFlowDefinition}} enforces sandbox mode on the grounds that whole-script approval is unrealistic (an administrator would need to approve every SCM revision, and Jenkins cannot automatically approve revisions like it could from GUI changes to a {{CpsFlowDefinition}} by an administrator).

          There should however be an option to simply trust the script as it comes from the SCM. This could be checked by default if Jenkins were unsecured; for a secured Jenkins, the default should remain to use the sandbox, though you could switch to trusted mode with a stern warning in form validation explaining that you are responsible for auditing all changes to that SCM repository, and noting that attackers with SCM access could take over control of Jenkins in ways that might make auditing difficult. (For example, someone with push access to a Git repository could push a script which obtains the API token of a legitimate Jenkins administrator, mails it to the attacker, then deletes the current build record; and finally force-push the attacking script out of existence except via the reflog.)

          Pending such an option, the workaround is given by the tutorial [here|https://github.com/jenkinsci/workflow-plugin/blob/master/TUTORIAL.md#manual-loading]: define a {{CpsFlowDefinition}} with an approved script that checks out the SCM and uses {{load}} to run it. This has the same effect at the price of more awkward configuration.           		New: Currently {{CpsScmFlowDefinition}} enforces sandbox mode on the grounds that whole-script approval is unrealistic (an administrator would need to approve every SCM revision, and Jenkins cannot automatically approve revisions like it could from GUI changes to a {{CpsFlowDefinition}} by an administrator).

          There should however be an option to simply trust the script as it comes from the SCM. This could be checked by default if Jenkins were unsecured; for a secured Jenkins, the default should remain to use the sandbox, though you could switch to trusted mode with a stern warning in form validation explaining that you are responsible for auditing all changes to that SCM repository, and noting that attackers with SCM access could take over control of Jenkins in ways that might make auditing difficult. (For example, someone with push access to a Git repository could push a script which obtains the API token of a legitimate Jenkins administrator, mails it to the attacker, then deletes the current build record; and finally force-push the attacking script out of existence except via the reflog.)

          Pending such an option, the workaround is given by the tutorial [here|https://github.com/jenkinsci/workflow-plugin/blob/master/TUTORIAL.md#triggering-manual-loading]: define a {{CpsFlowDefinition}} with an approved script that checks out the SCM and uses {{load}} to run it. This has the same effect at the price of more awkward configuration.
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-25784 [ JENKINS-25784 ]
          Jesse Glick made changes -
          Epic Link New: JENKINS-35391 [ 171184 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 162896 ] New: JNJira + In-Review [ 181064 ]
          Andrew Bayer made changes -
          Component/s New: pipeline-general [ 21692 ]
          Andrew Bayer made changes -
          Component/s Original: workflow-plugin [ 18820 ]
          Jesse Glick made changes -
          Component/s New: workflow-cps-plugin [ 21713 ]
          Component/s Original: pipeline [ 21692 ]
          Federico Naum made changes -
          Assignee Original: Jesse Glick [ jglick ] New: Federico Naum [ fnaum ]
          Jesse Glick made changes -
          Assignee Original: Federico Naum [ fnaum ]

            Unassigned Unassigned
            jglick Jesse Glick
            Votes:
            122 Vote for this issue
            Watchers:
            118 Start watching this issue

              Created:
              Updated: