-
Improvement
-
Resolution: Unresolved
-
Major
-
None
When using JobDSL in pipeline scripts [1] that are configured globally (and hence are trusted) [2], the script security should be automatically disabled [3].
At the moment the only workaround is to globally disable the script security for the JobDSL plugin [4] (but then it can also be used in regular Jenkinsfiles!) or to manually approve all incarnations (not feasible for us, we have way too many incarnations that may come in).
It should be possible to check in the implementation of the jobDsl command, if the caller is in trusted context already. If yes, all security checks should be skipped.
[1]
https://github.com/jenkinsci/job-dsl-plugin/wiki/User-Power-Moves#use-job-dsl-in-pipeline-scripts
[2]
https://jenkins.io/doc/book/pipeline/shared-libraries/#global-shared-libraries
https://github.com/jenkinsci/workflow-cps-global-lib-plugin
[3]
https://github.com/jenkinsci/job-dsl-plugin/wiki/Migration#migrating-to-160
https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security
[4]
https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security#disabling-script-security
[JENKINS-45517] Support JobDSL without security check if called from a global pipeline lib
Georg Henzler
created issue -
Georg Henzler
made changes -
| Description |
Original:
When using JobDSL in pipeline scripts [1] that are configured globally (and hence are trusted) [2], the script security should be automatically disabled [3]. At the moment the only workaround is to globally disable the pipeline [4] (but then it can also be used in regular Jenkinsfiles!) or to manually approve all incarnations (not feasible for us, we have way too many incarnations that may come in). It should be possible to check in the implementation of the jobDsl command, if the caller is in trusted context already. If yes, all security checks should be skipped. [1] https://github.com/jenkinsci/job-dsl-plugin/wiki/User-Power-Moves#use-job-dsl-in-pipeline-scripts [2] https://jenkins.io/doc/book/pipeline/shared-libraries/#global-shared-libraries https://github.com/jenkinsci/workflow-cps-global-lib-plugin [3] https://github.com/jenkinsci/job-dsl-plugin/wiki/Migration#migrating-to-160 https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security [4] https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security#disabling-script-security |
New:
When using JobDSL in pipeline scripts [1] that are configured globally (and hence are trusted) [2], the script security should be automatically disabled [3]. At the moment the only workaround is to globally disable the script security for the JobDSL plugin [4] (but then it can also be used in regular Jenkinsfiles!) or to manually approve all incarnations (not feasible for us, we have way too many incarnations that may come in). It should be possible to check in the implementation of the jobDsl command, if the caller is in trusted context already. If yes, all security checks should be skipped. [1] https://github.com/jenkinsci/job-dsl-plugin/wiki/User-Power-Moves#use-job-dsl-in-pipeline-scripts [2] https://jenkins.io/doc/book/pipeline/shared-libraries/#global-shared-libraries https://github.com/jenkinsci/workflow-cps-global-lib-plugin [3] https://github.com/jenkinsci/job-dsl-plugin/wiki/Migration#migrating-to-160 https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security [4] https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security#disabling-script-security |
Georg Henzler
added a comment - daspilker This is an example JobDSL as it is produced by our pipeline library:
pipelineJob('MyProj-Sonar-develop') { definition { cps { sandbox() script(''' echo('we use a much more complex script here, but this should reproduce the problem already') ''') } } }
The pipeline library calls the jobDsl plugin as follows (the variable pipelineCreateJobDsl contains above snippet as text):
jobDsl scriptText: pipelineCreateJobDsl, lookupStrategy: 'JENKINS_ROOT'
Georg Henzler
added a comment - daspilker This is an example JobDSL as it is produced by our pipeline library:
pipelineJob( 'MyProj-Sonar-develop' ) {
definition {
cps {
sandbox()
script('''
echo( 'we use a much more complex script here, but this should reproduce the problem already' )
''')
}
}
}
The pipeline library calls the jobDsl plugin as follows (the variable pipelineCreateJobDsl contains above snippet as text):
jobDsl scriptText: pipelineCreateJobDsl, lookupStrategy: 'JENKINS_ROOT'
Georg Henzler
added a comment - Just had this issue again on another Jenkins instance and needed to use [4] again - daspilker Do you know a way to determine if the job dsl is called from a safe context (e.g. global pipeline library)?
Georg Henzler
added a comment - Just had this issue again on another Jenkins instance and needed to use [4] again - daspilker Do you know a way to determine if the job dsl is called from a safe context (e.g. global pipeline library)? | Assignee | Original: Daniel Spilker [ daspilker ] | New: Jamie Tanna [ jamietanna ] |
Can you post an example that reproduces the problem?