Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35514

Ability to disable script console

    XMLWordPrintable

Details

    Description

      The administrative script console allows very broad access to Jenkins, and this has been a source of vulnerabilities in the past, e.g.
      https://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console
      https://duckduckgo.com/?q=jenkins+script+console+java+execution&ia=web

      My team never uses this feature, and we'd like to reduce our attack surface by disabling the console completely, preferably from the system-level Jenkins config (/etc/sysconfig/jenkins on Linux). Is there an existing undocumented option for that? If not, will it be possible to add such an option?

      We do have mandatory auth and access control, but still would like to disable this feature.

      Attachments

        Issue Links

          Activity

            oleg_nenashev Oleg Nenashev added a comment -

            Theoretically it should be enough to disable the Jenkins.RUN_SCRIPTS permission in Authorization strategy, which does blocks permission inheritance. It would also block the groovy script CLI command.

            BTW I'm not sure which strategy provides such functionality

            oleg_nenashev Oleg Nenashev added a comment - Theoretically it should be enough to disable the Jenkins.RUN_SCRIPTS permission in Authorization strategy, which does blocks permission inheritance. It would also block the groovy script CLI command. BTW I'm not sure which strategy provides such functionality
            danielbeck Daniel Beck added a comment -

            this has been a source of vulnerabilities in the past

            The CSRF protection option has existed for years and will have prevented those. Since Jenkins 2, it's enabled by default.

            danielbeck Daniel Beck added a comment - this has been a source of vulnerabilities in the past The CSRF protection option has existed for years and will have prevented those. Since Jenkins 2, it's enabled by default.
            danielbeck Daniel Beck added a comment -

            Probably a case of moving these scripting capabilities to a plugin. I think there's already an issue for it.

            danielbeck Daniel Beck added a comment - Probably a case of moving these scripting capabilities to a plugin. I think there's already an issue for it.

            My original point was that even though the individual vulnerabilities or even vulnerability classes have been since fixed, the console still provides very broad privileges on the local Jenkins installation (and potentially local system, if the run-as user is misconfigured). If a particular team doesn't use the console, why should they have this potential security risk?

            dskrvk Dmitry Erastov added a comment - My original point was that even though the individual vulnerabilities or even vulnerability classes have been since fixed, the console still provides very broad privileges on the local Jenkins installation (and potentially local system, if the run-as user is misconfigured). If a particular team doesn't use the console, why should they have this potential security risk?
            danielbeck Daniel Beck added a comment -

            Pretty much a duplicate of JENKINS-29068 as a plugin can be disabled to remove its functionality.

            danielbeck Daniel Beck added a comment - Pretty much a duplicate of JENKINS-29068 as a plugin can be disabled to remove its functionality.

            People

              Unassigned Unassigned
              dskrvk Dmitry Erastov
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: