Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47736

JEP-200: Switch Remoting/XStream blacklist to a whitelist

    XMLWordPrintable

Details

    • JEP-200: Switch Remoting/XStream blacklist to a whitelist

    Description

      Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-53613 Plugin affected by JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-53638 Maven Plugin Affected by JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          is related to

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49237 CPPNCSS Plugin fails with "WARNING: java.util.Calendar in JRE might be dangerous,"

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-48963 UnsupportedOperationException: Refusing to marshal com.sonymobile.tools.gerrit.gerritevents.watchdog.WatchTimeExceptionData for security reasons

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49089 UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-41751 Groovy PowerAssertions don't show a useful message when being CPS transformed

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49016 Android-lint plugin affected by JEP in 2.102

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49176 SimpleDateFormat is not whitelisted - JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49573 Matrix Configuration Parameter Plugin is affected by JEP-200

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-50566 Google Compute Engine Plugin JEP-200 Class rejected

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-50460 Builds marked as failed - Dr Memory plugin (JEP-200)

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49175 Job DSL Plugin violates whitelist

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49699 Doktor plugin affected by JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. JENKINS-48734 JEP-200 - Make PCT usable for testing plugin compatibility with unreleased Jenkins Cores

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. JENKINS-43875 Cleanup following SECURITY-429

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-57796 Checkmarx affected by JEP-200

          • Critical - Crashes, loss of data, severe memory leak.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49025 SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49130 Sonar Quality Gates run fails after upgrade to Jenkins 2.102/2.103

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-48965 Refusing to marshal java.util.Collections$SynchronizedRandomAccessList for security reasons

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49586 JDepend plugin classes not in JEP-200 whitelist

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-51331 AuditTrail plugin incompatible with JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-47158 Warnings about workflow/*-parallel-synthetic.xml serializing WorkflowRun objects

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link CloudBees Internal OSS-2508

          Web Link cloudbees-folder PR 116

          Web Link copyartifact PR 97

          Web Link core PR 3120

          Web Link credentials PR 96

          Web Link crx-content-package-deployer PR 8

          Web Link dependency-check PR 20

          Web Link dockerhub-notification PR 16

          Web Link git-client PR 290

          Web Link jenkins-test-harness PR 81

          Web Link JEP 200

          Web Link job-dsl PR 1092

          Web Link kubernetes-pipeline PR 66

          Web Link lib-jenkins-maven-embedder PR 15

          Web Link monitoring PR 6

          Web Link nexus-platform PR 16

          Web Link parameterized-trigger PR 118

          Web Link pipeline-build-step PR 17

          Web Link priority-sorter PR 42

          Web Link project-description-setter PR 2

          Web Link publish-over PR 8

          Web Link remoting PR 208

          Web Link ruby-runtime PR 5

          Web Link saltstack PR 116

          Web Link Wiki Page with the list of affected plugins

          Web Link workflow-cps PR 190

          Web Link workflow-support PR 50

          Web Link xtrigger-lib PR 9

          Activity

            Ascending order - Click to sort in descending order
            View 10 older comments
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/util/XStream2.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/java/jenkins/security/ClassFilterImpl.java
            core/src/main/java/jenkins/security/CustomClassFilter.java
            core/src/main/resources/jenkins/security/whitelisted-classes.txt
            pom.xml
            test/pom.xml
            test/src/test/groovy/hudson/cli/BuildCommandTest.groovy
            test/src/test/java/hudson/cli/BuildCommand2Test.java
            test/src/test/java/hudson/util/XStream2Security383Test.java
            test/src/test/java/jenkins/install/InstallUtilTest.java
            test/src/test/java/jenkins/install/SetupWizardTest.java
            test/src/test/java/jenkins/security/ClassFilterImplTest.java
            test/src/test/java/jenkins/security/CustomClassFilterTest.java
            test/src/test/java/jenkins/security/Security218CliTest.java
            test/src/test/java/jenkins/security/Security218Test.java
            test/src/test/resources/plugins/custom-class-filter.jpi
            http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93
            Log:
            JENKINS-47736 Switch Remoting/XStream blacklist to a whitelist.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/util/XStream2.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/jenkins/security/ClassFilterImpl.java core/src/main/java/jenkins/security/CustomClassFilter.java core/src/main/resources/jenkins/security/whitelisted-classes.txt pom.xml test/pom.xml test/src/test/groovy/hudson/cli/BuildCommandTest.groovy test/src/test/java/hudson/cli/BuildCommand2Test.java test/src/test/java/hudson/util/XStream2Security383Test.java test/src/test/java/jenkins/install/InstallUtilTest.java test/src/test/java/jenkins/install/SetupWizardTest.java test/src/test/java/jenkins/security/ClassFilterImplTest.java test/src/test/java/jenkins/security/CustomClassFilterTest.java test/src/test/java/jenkins/security/Security218CliTest.java test/src/test/java/jenkins/security/Security218Test.java test/src/test/resources/plugins/custom-class-filter.jpi http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93 Log: JENKINS-47736 Switch Remoting/XStream blacklist to a whitelist.
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            pom.xml
            http://jenkins-ci.org/commit/jenkins/29362a5b7b94ddfe0ead38c423c54c81bfced53d
            Log:
            JENKINS-47736 - Use the new snapshot: remoting-3.16-20171228.162243-1

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/29362a5b7b94ddfe0ead38c423c54c81bfced53d Log: JENKINS-47736 - Use the new snapshot: remoting-3.16-20171228.162243-1
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            pom.xml
            http://jenkins-ci.org/commit/jenkins/88e756de6fe6c3333658e6d4be6aad2323a63e09
            Log:
            JENKINS-47736 - Use the released version of Remoting 3.16

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/88e756de6fe6c3333658e6d4be6aad2323a63e09 Log: JENKINS-47736 - Use the released version of Remoting 3.16
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/PluginManager.java
            core/src/main/java/hudson/util/XStream2.java
            core/src/main/java/jenkins/MasterToSlaveFileCallable.java
            core/src/main/java/jenkins/SlaveToMasterFileCallable.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/java/jenkins/security/ClassFilterImpl.java
            core/src/main/java/jenkins/security/CustomClassFilter.java
            core/src/main/java/jenkins/security/MasterToSlaveCallable.java
            core/src/main/java/jenkins/security/SlaveToMasterCallable.java
            core/src/main/resources/jenkins/security/whitelisted-classes.txt
            pom.xml
            test/src/test/java/hudson/util/XStream2Security383Test.java
            test/src/test/java/jenkins/install/InstallUtilTest.java
            test/src/test/java/jenkins/install/SetupWizardTest.java
            test/src/test/java/jenkins/security/ClassFilterImplTest.java
            test/src/test/java/jenkins/security/CustomClassFilterTest.java
            test/src/test/java/jenkins/security/Security218CliTest.java
            test/src/test/java/jenkins/security/Security218Test.java
            test/src/test/resources/plugins/custom-class-filter.jpi
            http://jenkins-ci.org/commit/jenkins/cb4903c20e788f015f6210a965a2759009ff24f2
            Log:
            [JEP-200] JENKINS-47736 Merged #3120: ClassFilterImpl

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/util/XStream2.java core/src/main/java/jenkins/MasterToSlaveFileCallable.java core/src/main/java/jenkins/SlaveToMasterFileCallable.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/jenkins/security/ClassFilterImpl.java core/src/main/java/jenkins/security/CustomClassFilter.java core/src/main/java/jenkins/security/MasterToSlaveCallable.java core/src/main/java/jenkins/security/SlaveToMasterCallable.java core/src/main/resources/jenkins/security/whitelisted-classes.txt pom.xml test/src/test/java/hudson/util/XStream2Security383Test.java test/src/test/java/jenkins/install/InstallUtilTest.java test/src/test/java/jenkins/install/SetupWizardTest.java test/src/test/java/jenkins/security/ClassFilterImplTest.java test/src/test/java/jenkins/security/CustomClassFilterTest.java test/src/test/java/jenkins/security/Security218CliTest.java test/src/test/java/jenkins/security/Security218Test.java test/src/test/resources/plugins/custom-class-filter.jpi http://jenkins-ci.org/commit/jenkins/cb4903c20e788f015f6210a965a2759009ff24f2 Log: [JEP-200] JENKINS-47736 Merged #3120: ClassFilterImpl
            jglick Jesse Glick added a comment -

            Merged toward 2.102.

            jglick Jesse Glick added a comment - Merged toward 2.102.

            People

              jglick Jesse Glick
              jglick Jesse Glick
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: