The plugin has an option to discover PRs from forks and only trust those with admin or write access. The documentation is misleading and makes it sound as thought this will block PRs from untrusted users from being built. Instead this causes the original Jenkinsfile to be used instead of the Jenkinsfile from the fork. Not only is the phrasing of the documentation misleading, it still allows for many vectors of attack such as changing a file that the original Jenkinsfile calls.

          [JENKINS-53753] Misleading documentation for permissions

          Sam Schwarz created issue -
          Andrew Bayer made changes -
          Link New: This issue relates to JENKINS-53752 [ JENKINS-53752 ]
          Andrew Bayer made changes -
          Labels Original: security New: security triaged-2018-11
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-46795 [ JENKINS-46795 ]

            Unassigned Unassigned
            roguishmountain Sam Schwarz
            Votes:
            4 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: