-
Improvement
-
Resolution: Fixed
-
Minor
-
None
-
Jenkins >= 1.545
Plugins could reject configurations via REST and CLI in Jenkins < 1.545 by throwing exceptions in readResolve.
Authorize Project plugin performs authentications with this behavior.
Jenkins 1.545 suppresses exceptions in readResolve in JENKINS-21024 (also backported to Jenkins 1.532.3).
This results that throwing exceptions in readResolve prevents reading configurations into memories via REST / CLI but cannot prevents saving them to the disk.
Authorize-project doesn't perform authentications when Jenkins reads configurations from the disk and allows bypassing authentications.
Jenkins 1.551 introduced XStream2#addCriticalField in SECURITY-107 (also backported to Jenkins 1.532.2) which triggers critical errors by exceptions in readResolve but only applied to system configurations, not applied project configurations via REST / CLI. (Exceptions are suppressed in CopyOnWriteList)
Jenkins should provides a way for plugins to reject configurations via REST / CLI.
- is blocking
-
JENKINS-28298 Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1
-
- Closed
-
- is related to
-
-
- Resolved
-
