Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55778

Github branch source plugin builds untrusted builds during scan


      I have opened this as a Blocker given the security implications of it.

      In Projects->Behaviours->Discover pull requests from forks->Trust I have chosen the From users with Admin or Write permission strategy because I don't want PRs from users outside of those with Admin or Write permission to be able to run jobs on my Jenkins server, ever (well, frankly, I would like to be able to "approve" PRs from such but that's a different ticket).

      However, during a Repository Scan, PRs from users outside of the above group are being run:

           Checking pull request #28
          (not from a trusted source)
            ‘Jenkinsfile’ found
            Not mergeable, build likely to fail
          Met criteria
      Changes detected: PR-28 ([redacted1]+[redacted2] → [redacted1+[redacted3)
      Scheduled build for branch: PR-28

      The user that submitted that PR is neither an Admin nor has Write permission.  I do believe the permissions are being enforced at the time that updates are being pushed to the PR, but it seems that this Repository Scan is not applying the same permissions/restrictions.

            Unassigned Unassigned
            brianjmurrell Brian J Murrell
            0 Vote for this issue
            1 Start watching this issue