Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47736

JEP-200: Switch Remoting/XStream blacklist to a whitelist

    • JEP-200: Switch Remoting/XStream blacklist to a whitelist

      Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.

          [JENKINS-47736] JEP-200: Switch Remoting/XStream blacklist to a whitelist

          Oleg Nenashev added a comment -

          I am going to convert it to EPIC so that we can track other action items separately

          Oleg Nenashev added a comment - I am going to convert it to EPIC so that we can track other action items separately

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/lib-jenkins-maven-embedder/fdf0ac0ce2fac2d706ddca98b06cd825cbdfe319
          Log:
          Merge pull request #15 from jglick/Jenkins-ClassFilter-Whitelisted

          JENKINS-47736 Jenkins-ClassFilter-Whitelisted

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/lib-jenkins-maven-embedder/fdf0ac0ce2fac2d706ddca98b06cd825cbdfe319 Log: Merge pull request #15 from jglick/Jenkins-ClassFilter-Whitelisted JENKINS-47736 Jenkins-ClassFilter-Whitelisted

          Code changed in jenkins
          User: Jesse Glick
          Path:
          src/main/java/hudson/remoting/ClassFilter.java
          src/test/java/hudson/remoting/ClassFilterTest.java
          http://jenkins-ci.org/commit/remoting/1fda115f080dc3fc1063ca3496f49bb2853f380e
          Log:
          JENKINS-47736 Introduced ClassFilter.setDefault (#208)

          • Review comments from @oleg-nenashev.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/hudson/remoting/ClassFilter.java src/test/java/hudson/remoting/ClassFilterTest.java http://jenkins-ci.org/commit/remoting/1fda115f080dc3fc1063ca3496f49bb2853f380e Log: JENKINS-47736 Introduced ClassFilter.setDefault (#208) JENKINS-47736 Introduced ClassFilter.setDefault. Review comments from @oleg-nenashev. JENKINS-47736 - Add some annotations, mostly to kick-off CI

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/util/XStream2.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/java/jenkins/security/ClassFilterImpl.java
          core/src/main/java/jenkins/security/CustomClassFilter.java
          core/src/main/resources/jenkins/security/whitelisted-classes.txt
          pom.xml
          test/pom.xml
          test/src/test/groovy/hudson/cli/BuildCommandTest.groovy
          test/src/test/java/hudson/cli/BuildCommand2Test.java
          test/src/test/java/hudson/util/XStream2Security383Test.java
          test/src/test/java/jenkins/install/InstallUtilTest.java
          test/src/test/java/jenkins/install/SetupWizardTest.java
          test/src/test/java/jenkins/security/ClassFilterImplTest.java
          test/src/test/java/jenkins/security/CustomClassFilterTest.java
          test/src/test/java/jenkins/security/Security218CliTest.java
          test/src/test/java/jenkins/security/Security218Test.java
          test/src/test/resources/plugins/custom-class-filter.jpi
          http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93
          Log:
          JENKINS-47736 Switch Remoting/XStream blacklist to a whitelist.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/util/XStream2.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/jenkins/security/ClassFilterImpl.java core/src/main/java/jenkins/security/CustomClassFilter.java core/src/main/resources/jenkins/security/whitelisted-classes.txt pom.xml test/pom.xml test/src/test/groovy/hudson/cli/BuildCommandTest.groovy test/src/test/java/hudson/cli/BuildCommand2Test.java test/src/test/java/hudson/util/XStream2Security383Test.java test/src/test/java/jenkins/install/InstallUtilTest.java test/src/test/java/jenkins/install/SetupWizardTest.java test/src/test/java/jenkins/security/ClassFilterImplTest.java test/src/test/java/jenkins/security/CustomClassFilterTest.java test/src/test/java/jenkins/security/Security218CliTest.java test/src/test/java/jenkins/security/Security218Test.java test/src/test/resources/plugins/custom-class-filter.jpi http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93 Log: JENKINS-47736 Switch Remoting/XStream blacklist to a whitelist.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/29362a5b7b94ddfe0ead38c423c54c81bfced53d
          Log:
          JENKINS-47736 - Use the new snapshot: remoting-3.16-20171228.162243-1

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/29362a5b7b94ddfe0ead38c423c54c81bfced53d Log: JENKINS-47736 - Use the new snapshot: remoting-3.16-20171228.162243-1

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/88e756de6fe6c3333658e6d4be6aad2323a63e09
          Log:
          JENKINS-47736 - Use the released version of Remoting 3.16

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/88e756de6fe6c3333658e6d4be6aad2323a63e09 Log: JENKINS-47736 - Use the released version of Remoting 3.16

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/PluginManager.java
          core/src/main/java/hudson/util/XStream2.java
          core/src/main/java/jenkins/MasterToSlaveFileCallable.java
          core/src/main/java/jenkins/SlaveToMasterFileCallable.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/java/jenkins/security/ClassFilterImpl.java
          core/src/main/java/jenkins/security/CustomClassFilter.java
          core/src/main/java/jenkins/security/MasterToSlaveCallable.java
          core/src/main/java/jenkins/security/SlaveToMasterCallable.java
          core/src/main/resources/jenkins/security/whitelisted-classes.txt
          pom.xml
          test/src/test/java/hudson/util/XStream2Security383Test.java
          test/src/test/java/jenkins/install/InstallUtilTest.java
          test/src/test/java/jenkins/install/SetupWizardTest.java
          test/src/test/java/jenkins/security/ClassFilterImplTest.java
          test/src/test/java/jenkins/security/CustomClassFilterTest.java
          test/src/test/java/jenkins/security/Security218CliTest.java
          test/src/test/java/jenkins/security/Security218Test.java
          test/src/test/resources/plugins/custom-class-filter.jpi
          http://jenkins-ci.org/commit/jenkins/cb4903c20e788f015f6210a965a2759009ff24f2
          Log:
          [JEP-200] JENKINS-47736 Merged #3120: ClassFilterImpl

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/util/XStream2.java core/src/main/java/jenkins/MasterToSlaveFileCallable.java core/src/main/java/jenkins/SlaveToMasterFileCallable.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/jenkins/security/ClassFilterImpl.java core/src/main/java/jenkins/security/CustomClassFilter.java core/src/main/java/jenkins/security/MasterToSlaveCallable.java core/src/main/java/jenkins/security/SlaveToMasterCallable.java core/src/main/resources/jenkins/security/whitelisted-classes.txt pom.xml test/src/test/java/hudson/util/XStream2Security383Test.java test/src/test/java/jenkins/install/InstallUtilTest.java test/src/test/java/jenkins/install/SetupWizardTest.java test/src/test/java/jenkins/security/ClassFilterImplTest.java test/src/test/java/jenkins/security/CustomClassFilterTest.java test/src/test/java/jenkins/security/Security218CliTest.java test/src/test/java/jenkins/security/Security218Test.java test/src/test/resources/plugins/custom-class-filter.jpi http://jenkins-ci.org/commit/jenkins/cb4903c20e788f015f6210a965a2759009ff24f2 Log: [JEP-200] JENKINS-47736 Merged #3120: ClassFilterImpl

          Jesse Glick added a comment -

          Merged toward 2.102.

          Jesse Glick added a comment - Merged toward 2.102.

          Jesse Glick added a comment - - edited

          (Note: all epic children have been lost after spurious change of issue type by @remaincalm which it seems impossible to atomically undo. No obvious record remains of which these were. Of those to which I was subscribed: JENKINS-49016 JENKINS-49070 JENKINS-49089 INFRA-1461 JENKINS-49377 JENKINS-48932 JENKINS-49025 JENKINS-48991 JENKINS-49715)

          Jesse Glick added a comment - - edited (Note: all epic children have been lost after spurious change of issue type by @remaincalm which it seems impossible to atomically undo. No obvious record remains of which these were. Of those to which I was subscribed: JENKINS-49016 JENKINS-49070 JENKINS-49089 INFRA-1461 JENKINS-49377 JENKINS-48932 JENKINS-49025 JENKINS-48991 JENKINS-49715 )

          Mark Waite added a comment -

          I connected the tickets that were disconnected based on the history links. May not be all of them, but all that I saw in history.

          Mark Waite added a comment - I connected the tickets that were disconnected based on the history links. May not be all of them, but all that I saw in history.

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: