[JENKINS-53753] Misleading documentation for permissions - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Component/s: github-branch-source-plugin
Labels:
- security
- triaged-2018-11

Similar Issues:

Show

Description

The plugin has an option to discover PRs from forks and only trust those with admin or write access. The documentation is misleading and makes it sound as thought this will block PRs from untrusted users from being built. Instead this causes the original Jenkinsfile to be used instead of the Jenkinsfile from the fork. Not only is the phrasing of the documentation misleading, it still allows for many vectors of attack such as changing a file that the original Jenkinsfile calls.

Attachments

Issue Links

relates to

JENKINS-53752 Block PRs from forks from untrusted users

Resolved

Activity

Hide

Permalink

Andrew Bayer added a comment - 2018-09-25 13:39

Yeah, "trust" isn't well explained - it means, as you said, that changes to the Jenkinsfile in an untrusted branch will not be used, and the docs do say that, but not clearly enough to establish that it just means that and not that untrusted PRs won't be built at all. I think this and ~~JENKINS-53752~~ should probably be addressed in tandem.

Show

Andrew Bayer added a comment - 2018-09-25 13:39 Yeah, "trust" isn't well explained - it means, as you said, that changes to the Jenkinsfile in an untrusted branch will not be used, and the docs do say that, but not clearly enough to establish that it just means that and not that untrusted PRs won't be built at all. I think this and JENKINS-53752 should probably be addressed in tandem.

People

Assignee:: Unassigned

Reporter:: Sam Schwarz

Votes:: 4 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2018-09-24 17:42

Updated:: 2018-11-19 15:57