Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47736

JEP-200: Switch Remoting/XStream blacklist to a whitelist

    • JEP-200: Switch Remoting/XStream blacklist to a whitelist

      Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.

          [JENKINS-47736] JEP-200: Switch Remoting/XStream blacklist to a whitelist

          Jesse Glick created issue -
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "remoting PR 208 (Web Link)" [ 17952 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "jenkins-test-harness PR 81 (Web Link)" [ 17953 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "core PR 3120 (Web Link)" [ 17954 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "dockerhub-notification PR 16 (Web Link)" [ 17955 ]

          Jesse Glick added a comment -

          I filed a JEP which should be referred to for all details.

          Jesse Glick added a comment - I filed a JEP which should be referred to for all details.
          Jesse Glick made changes -
          Remote Link New: This issue links to "Draft JEP (Web Link)" [ 17956 ]
          Jesse Glick made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]

          Code changed in jenkins
          User: Jesse Glick
          Path:
          src/main/java/org/jenkinsci/plugins/registry/notification/webhook/dockerregistry/DockerRegistryWebHookPayload.java
          http://jenkins-ci.org/commit/dockerhub-notification-plugin/162947aa5d4267fbb25ea8528c4fcdf2186eb31e
          Log:
          JENKINS-47736 Unnecessary serialization of a JSONObject.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/registry/notification/webhook/dockerregistry/DockerRegistryWebHookPayload.java http://jenkins-ci.org/commit/dockerhub-notification-plugin/162947aa5d4267fbb25ea8528c4fcdf2186eb31e Log: JENKINS-47736 Unnecessary serialization of a JSONObject.

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: