[JENKINS-47736] JEP-200: Switch Remoting/XStream blacklist to a whitelist - Jenkins JIRA

XML

Word

Printable

Details

Type: Epic
Status: Resolved (View Workflow)
Priority: Critical
Resolution: Fixed
Component/s: core, jenkins-test-harness, remoting
Labels:
- JEP-200
- classloader
- remoting
- security
- xstream

Epic Name:
JEP-200: Switch Remoting/XStream blacklist to a whitelist
Similar Issues:

Show

Description

Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.

Attachments

Issue Links

is blocked by

JENKINS-53613 Plugin affected by JEP-200

Open

JENKINS-53638 Maven Plugin Affected by JEP-200

Open

is related to

JENKINS-49699 Doktor plugin affected by JEP-200

Open

JENKINS-49237 CPPNCSS Plugin fails with "WARNING: java.util.Calendar in JRE might be dangerous,"

Resolved

JENKINS-48963 UnsupportedOperationException: Refusing to marshal com.sonymobile.tools.gerrit.gerritevents.watchdog.WatchTimeExceptionData for security reasons

Resolved

JENKINS-49089 UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons

Resolved

JENKINS-41751 Groovy PowerAssertions don't show a useful message when being CPS transformed

Resolved

JENKINS-49016 Android-lint plugin affected by JEP in 2.102

Resolved

JENKINS-49176 SimpleDateFormat is not whitelisted - JEP-200

Resolved

JENKINS-49573 Matrix Configuration Parameter Plugin is affected by JEP-200

Closed

JENKINS-50566 Google Compute Engine Plugin JEP-200 Class rejected

Closed

JENKINS-50460 Builds marked as failed - Dr Memory plugin (JEP-200)

Closed

JENKINS-49175 Job DSL Plugin violates whitelist

Closed

relates to

JENKINS-48734 JEP-200 - Make PCT usable for testing plugin compatibility with unreleased Jenkins Cores

Resolved

JENKINS-43875 Cleanup following SECURITY-429

Resolved

JENKINS-57796 Checkmarx affected by JEP-200

Open

JENKINS-49025 SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

Resolved

JENKINS-49130 Sonar Quality Gates run fails after upgrade to Jenkins 2.102/2.103

Resolved

JENKINS-48965 Refusing to marshal java.util.Collections$SynchronizedRandomAccessList for security reasons

Resolved

JENKINS-49586 JDepend plugin classes not in JEP-200 whitelist

Resolved

JENKINS-51331 AuditTrail plugin incompatible with JEP-200

Resolved

JENKINS-47158 Warnings about workflow/*-parallel-synthetic.xml serializing WorkflowRun objects

Closed

links to

CloudBees Internal OSS-2508

cloudbees-folder PR 116

copyartifact PR 97

core PR 3120

credentials PR 96

crx-content-package-deployer PR 8

dependency-check PR 20

dockerhub-notification PR 16

git-client PR 290

jenkins-test-harness PR 81

JEP 200

job-dsl PR 1092

kubernetes-pipeline PR 66

lib-jenkins-maven-embedder PR 15

monitoring PR 6

nexus-platform PR 16

parameterized-trigger PR 118

pipeline-build-step PR 17

priority-sorter PR 42

project-description-setter PR 2

Wiki Page with the list of affected plugins

workflow-cps PR 190

workflow-support PR 50

xtrigger-lib PR 9

(8 is related to, 9 relates to, 28 links to)

Activity

Ascending order - Click to sort in descending order

10 older comments

Hide

Permalink

SCM/JIRA link daemon added a comment - 2018-01-12 22:41

Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/hudson/util/XStream2.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/java/jenkins/security/ClassFilterImpl.java
core/src/main/java/jenkins/security/CustomClassFilter.java
core/src/main/resources/jenkins/security/whitelisted-classes.txt
pom.xml
test/pom.xml
test/src/test/groovy/hudson/cli/BuildCommandTest.groovy
test/src/test/java/hudson/cli/BuildCommand2Test.java
test/src/test/java/hudson/util/XStream2Security383Test.java
test/src/test/java/jenkins/install/InstallUtilTest.java
test/src/test/java/jenkins/install/SetupWizardTest.java
test/src/test/java/jenkins/security/ClassFilterImplTest.java
test/src/test/java/jenkins/security/CustomClassFilterTest.java
test/src/test/java/jenkins/security/Security218CliTest.java
test/src/test/java/jenkins/security/Security218Test.java
test/src/test/resources/plugins/custom-class-filter.jpi
http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93
Log:
~~JENKINS-47736~~ Switch Remoting/XStream blacklist to a whitelist.

Show

SCM/JIRA link daemon added a comment - 2018-01-12 22:41 Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/util/XStream2.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/jenkins/security/ClassFilterImpl.java core/src/main/java/jenkins/security/CustomClassFilter.java core/src/main/resources/jenkins/security/whitelisted-classes.txt pom.xml test/pom.xml test/src/test/groovy/hudson/cli/BuildCommandTest.groovy test/src/test/java/hudson/cli/BuildCommand2Test.java test/src/test/java/hudson/util/XStream2Security383Test.java test/src/test/java/jenkins/install/InstallUtilTest.java test/src/test/java/jenkins/install/SetupWizardTest.java test/src/test/java/jenkins/security/ClassFilterImplTest.java test/src/test/java/jenkins/security/CustomClassFilterTest.java test/src/test/java/jenkins/security/Security218CliTest.java test/src/test/java/jenkins/security/Security218Test.java test/src/test/resources/plugins/custom-class-filter.jpi http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93 Log: JENKINS-47736 Switch Remoting/XStream blacklist to a whitelist.

Hide

Permalink

SCM/JIRA link daemon added a comment - 2018-01-12 22:41

Code changed in jenkins
User: Oleg Nenashev
Path:
pom.xml
http://jenkins-ci.org/commit/jenkins/29362a5b7b94ddfe0ead38c423c54c81bfced53d
Log:
~~JENKINS-47736~~ - Use the new snapshot: remoting-3.16-20171228.162243-1

Show

SCM/JIRA link daemon added a comment - 2018-01-12 22:41 Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/29362a5b7b94ddfe0ead38c423c54c81bfced53d Log: JENKINS-47736 - Use the new snapshot: remoting-3.16-20171228.162243-1

Hide

Permalink

SCM/JIRA link daemon added a comment - 2018-01-12 22:41

Code changed in jenkins
User: Oleg Nenashev
Path:
pom.xml
http://jenkins-ci.org/commit/jenkins/88e756de6fe6c3333658e6d4be6aad2323a63e09
Log:
~~JENKINS-47736~~ - Use the released version of Remoting 3.16

Show

SCM/JIRA link daemon added a comment - 2018-01-12 22:41 Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/88e756de6fe6c3333658e6d4be6aad2323a63e09 Log: JENKINS-47736 - Use the released version of Remoting 3.16

Hide

Permalink

SCM/JIRA link daemon added a comment - 2018-01-12 22:41

Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/hudson/PluginManager.java
core/src/main/java/hudson/util/XStream2.java
core/src/main/java/jenkins/MasterToSlaveFileCallable.java
core/src/main/java/jenkins/SlaveToMasterFileCallable.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/java/jenkins/security/ClassFilterImpl.java
core/src/main/java/jenkins/security/CustomClassFilter.java
core/src/main/java/jenkins/security/MasterToSlaveCallable.java
core/src/main/java/jenkins/security/SlaveToMasterCallable.java
core/src/main/resources/jenkins/security/whitelisted-classes.txt
pom.xml
test/src/test/java/hudson/util/XStream2Security383Test.java
test/src/test/java/jenkins/install/InstallUtilTest.java
test/src/test/java/jenkins/install/SetupWizardTest.java
test/src/test/java/jenkins/security/ClassFilterImplTest.java
test/src/test/java/jenkins/security/CustomClassFilterTest.java
test/src/test/java/jenkins/security/Security218CliTest.java
test/src/test/java/jenkins/security/Security218Test.java
test/src/test/resources/plugins/custom-class-filter.jpi
http://jenkins-ci.org/commit/jenkins/cb4903c20e788f015f6210a965a2759009ff24f2
Log:
[JEP-200] ~~JENKINS-47736~~ Merged #3120: ClassFilterImpl

Show

SCM/JIRA link daemon added a comment - 2018-01-12 22:41 Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/util/XStream2.java core/src/main/java/jenkins/MasterToSlaveFileCallable.java core/src/main/java/jenkins/SlaveToMasterFileCallable.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/jenkins/security/ClassFilterImpl.java core/src/main/java/jenkins/security/CustomClassFilter.java core/src/main/java/jenkins/security/MasterToSlaveCallable.java core/src/main/java/jenkins/security/SlaveToMasterCallable.java core/src/main/resources/jenkins/security/whitelisted-classes.txt pom.xml test/src/test/java/hudson/util/XStream2Security383Test.java test/src/test/java/jenkins/install/InstallUtilTest.java test/src/test/java/jenkins/install/SetupWizardTest.java test/src/test/java/jenkins/security/ClassFilterImplTest.java test/src/test/java/jenkins/security/CustomClassFilterTest.java test/src/test/java/jenkins/security/Security218CliTest.java test/src/test/java/jenkins/security/Security218Test.java test/src/test/resources/plugins/custom-class-filter.jpi http://jenkins-ci.org/commit/jenkins/cb4903c20e788f015f6210a965a2759009ff24f2 Log: [JEP-200] JENKINS-47736 Merged #3120: ClassFilterImpl

Hide

Permalink

Jesse Glick added a comment - 2018-01-12 22:42

Merged toward 2.102.

Show

Jesse Glick added a comment - 2018-01-12 22:42 Merged toward 2.102.

People

Assignee:: Jesse Glick

Reporter:: Jesse Glick

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017-10-30 18:02

Updated:: 2020-06-04 16:09

Resolved:: 2018-01-12 22:42