Details
-
Epic
-
Status: Resolved (View Workflow)
-
Critical
-
Resolution: Fixed
-
JEP-200: Switch Remoting/XStream blacklist to a whitelist
-
Description
Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.
Attachments
Issue Links
- is blocked by
-
JENKINS-53613 Plugin affected by JEP-200
-
- Open
-
-
JENKINS-53638 Maven Plugin Affected by JEP-200
-
- Open
-
- is related to
-
JENKINS-49237 CPPNCSS Plugin fails with "WARNING: java.util.Calendar in JRE might be dangerous,"
-
- Resolved
-
-
JENKINS-48963 UnsupportedOperationException: Refusing to marshal com.sonymobile.tools.gerrit.gerritevents.watchdog.WatchTimeExceptionData for security reasons
-
- Resolved
-
-
JENKINS-49089 UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons
-
- Resolved
-
-
JENKINS-41751 Groovy PowerAssertions don't show a useful message when being CPS transformed
-
- Resolved
-
-
JENKINS-49016 Android-lint plugin affected by JEP in 2.102
-
- Resolved
-
-
JENKINS-49176 SimpleDateFormat is not whitelisted - JEP-200
-
- Resolved
-
-
JENKINS-49573 Matrix Configuration Parameter Plugin is affected by JEP-200
-
- Closed
-
-
JENKINS-50566 Google Compute Engine Plugin JEP-200 Class rejected
-
- Closed
-
-
JENKINS-50460 Builds marked as failed - Dr Memory plugin (JEP-200)
-
- Closed
-
-
JENKINS-49175 Job DSL Plugin violates whitelist
-
- Closed
-
-
JENKINS-49699 Doktor plugin affected by JEP-200
-
- Closed
-
- relates to
-
JENKINS-48734 JEP-200 - Make PCT usable for testing plugin compatibility with unreleased Jenkins Cores
-
- Resolved
-
-
JENKINS-43875 Cleanup following SECURITY-429
-
- Resolved
-
-
JENKINS-57796 Checkmarx affected by JEP-200
-
- Open
-
-
JENKINS-49025 SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator
-
- Resolved
-
-
JENKINS-49130 Sonar Quality Gates run fails after upgrade to Jenkins 2.102/2.103
-
- Resolved
-
-
JENKINS-48965 Refusing to marshal java.util.Collections$SynchronizedRandomAccessList for security reasons
-
- Resolved
-
-
JENKINS-49586 JDepend plugin classes not in JEP-200 whitelist
-
- Resolved
-
-
JENKINS-51331 AuditTrail plugin incompatible with JEP-200
-
- Resolved
-
-
JENKINS-47158 Warnings about workflow/*-parallel-synthetic.xml serializing WorkflowRun objects
-
- Closed
-
- links to
Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/hudson/util/XStream2.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/java/jenkins/security/ClassFilterImpl.java
core/src/main/java/jenkins/security/CustomClassFilter.java
core/src/main/resources/jenkins/security/whitelisted-classes.txt
pom.xml
test/pom.xml
test/src/test/groovy/hudson/cli/BuildCommandTest.groovy
test/src/test/java/hudson/cli/BuildCommand2Test.java
test/src/test/java/hudson/util/XStream2Security383Test.java
test/src/test/java/jenkins/install/InstallUtilTest.java
test/src/test/java/jenkins/install/SetupWizardTest.java
test/src/test/java/jenkins/security/ClassFilterImplTest.java
test/src/test/java/jenkins/security/CustomClassFilterTest.java
test/src/test/java/jenkins/security/Security218CliTest.java
test/src/test/java/jenkins/security/Security218Test.java
test/src/test/resources/plugins/custom-class-filter.jpi
http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93
Log:
JENKINS-47736Switch Remoting/XStream blacklist to a whitelist.