[JENKINS-50979] LoaderIO publisher persists PrintStream to the disk (JEP-200)

Type: Bug
Resolution: Unresolved
Priority: Minor
Component/s: loaderio-jenkins-plugin
Labels:
- JEP-200

Similar Issues:
Powered by SuggestiMate

Show

According to the code inspection, there is a JEP-200 issue in the plugin:

https://github.com/jenkinsci/loaderio-plugin/blob/987a638da8cfeda2f7cbe7bfab0d71ca920289bc/src/main/java/io/loader/jenkins/LoaderPublisher.java#L73

This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

Useful links about JEP-200:

Blog post for users: https://jenkins.io/blog/2018/03/15/jep-200-lts/
JEP-200 guidelines for plugin developers: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers

Oleg Nenashev created issue - 2018-04-24 23:40

Oleg Nenashev made changes - 2018-04-24 23:40

Component/s		New: loaderio-jenkins [ 17658 ]
Component/s	Original: cloudcoreo-deploytime-plugin [ 23176 ]

Oleg Nenashev made changes - 2018-04-24 23:40

Summary

Original: LoderIO publisher persists PrintStream to the disk (JEP-200)

New: LoaderIO publisher persists PrintStream to the disk (JEP-200)

Oleg Nenashev made changes - 2018-04-24 23:40

Description

Original: According to the code inspection, there is a JEP-200 issue in the plugin:
* https://github.com/jenkinsci/cloudcoreo-deploytime-plugin/blob/4be75455a056a0fb80ad14cd544e608956775153/src/main/java/com/cloudcoreo/plugins/jenkins/CloudCoreoBuildWrapper.java#L36
* https://github.com/jenkinsci/cloudcoreo-deploytime-plugin/blob/4be75455a056a0fb80ad14cd544e608956775153/src/main/java/com/cloudcoreo/plugins/jenkins/CloudCoreoPublisher.java#L33

This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

Useful links about JEP-200:

* Blog post for users: https://jenkins.io/blog/2018/03/15/jep-200-lts/
* JEP-200 guidelines for plugin developers: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers

New: According to the code inspection, there is a JEP-200 issue in the plugin:
* https://github.com/jenkinsci/loaderio-plugin/blob/987a638da8cfeda2f7cbe7bfab0d71ca920289bc/src/main/java/io/loader/jenkins/LoaderPublisher.java#L73

This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

Useful links about JEP-200:

* Blog post for users: https://jenkins.io/blog/2018/03/15/jep-200-lts/
* JEP-200 guidelines for plugin developers: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers

Oleg Nenashev made changes - 2018-04-24 23:40

Assignee

Original: Andrew Armaneous [ armaneous ]

Assignee:: Unassigned

Reporter:: Oleg Nenashev

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2018-04-24 23:40

Updated:: 2018-04-24 23:40

Jenkins

Details

Description

Attachments

Activity

People

Dates