Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66756

Allow wildcards or regular expressions in "safe parameters" configuration

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core

      See JENKINS-66755 for origins of the request.

      From my understanding, there might be parameters that produce auto-generated names of some predictable type that collide with Jenkins safeParameter filter introduced with SECURITY-170. It feels to me that in addition to a list of specific parameters to be allowed - ParametersAction.safeParameters=FOO,BAR_baz,quX - one could benefit from another option with a list of masks to allow - something like ParametersAction.safeParametersMasks=FOO-*,Bar-*-BAR  - or even -  ParametersAction.safeParametersRegex=separator-\w{8}-\w{4}-\w{4}-\w{4}\w{12}|FOO-.* .

      I understand that this might theoretically introduce some other security issue, like "malicious plugin creates malicious separator-PWNDPWND-PWND-PWND-PWND-PWNDPWNDPWND - but it feels much less disastrous than just shutting down all parameters checking via keepUndefinedParameters=true or ignoring the problem altogether via keepUndefinedParameters=false .

          [JENKINS-66756] Allow wildcards or regular expressions in "safe parameters" configuration

          Artalus S. created issue -
          Artalus S. made changes -
          Description Original: See JENKINS-66755 for origins of the request.

          From my understanding, there might be parameters that produce auto-generated names of some predictable type that collide with Jenkins {{safeParameter}} filter [introduced|https://www.jenkins.io/blog/2016/05/11/security-update/] with SECURITY-170. It feels to me that in addition to a list of specific parameters to be allowed - {{ParametersAction.safeParameters=FOO,BAR_baz,quX}} - one could benefit from another option with a list of masks to allow - something like {{ParametersAction.safeParametersMasks=FOO-*,Bar-*-BAR}}  - or even -  {{ParametersAction.safeParametersRegex=separator\-\w\{8}\-\w\{4}\-\w\{4}\-\w\{4}-\w\{12}|FOO-.*}} .

          I understand that this might theoretically introduce some other security issue, like "malicious plugin creates malicious {{separator-PWNDPWND-PWND-PWND-PWND-PWNDPWNDPWND}} - but it feels much less disastrous than just shutting down all parameters checking via {{keepUndefinedParameters=true}} or ignoring the problem altogether via {{keepUndefinedParameters=false}} .           		New: See JENKINS-66755 for origins of the request.

          From my understanding, there might be parameters that produce auto-generated names of some predictable type that collide with Jenkins {{safeParameter}} filter [introduced|https://www.jenkins.io/blog/2016/05/11/security-update/] with SECURITY-170. It feels to me that in addition to a list of specific parameters to be allowed - {{ParametersAction.safeParameters=FOO,BAR_baz,quX}} - one could benefit from another option with a list of masks to allow - something like {{ParametersAction.safeParametersMasks=FOO-\*,Bar-\*-BAR}}  - or even -  {{ParametersAction.safeParametersRegex=separator-\w\{8}-\w\{4}-\w\{4}-\w\{4}\w\{12}|FOO-.*}} .

          I understand that this might theoretically introduce some other security issue, like "malicious plugin creates malicious {{separator-PWNDPWND-PWND-PWND-PWND-PWNDPWNDPWND}} - but it feels much less disastrous than just shutting down all parameters checking via {{keepUndefinedParameters=true}} or ignoring the problem altogether via {{keepUndefinedParameters=false}} .
          Artalus S. made changes -
          Description Original: See JENKINS-66755 for origins of the request.

          From my understanding, there might be parameters that produce auto-generated names of some predictable type that collide with Jenkins {{safeParameter}} filter [introduced|https://www.jenkins.io/blog/2016/05/11/security-update/] with SECURITY-170. It feels to me that in addition to a list of specific parameters to be allowed - {{ParametersAction.safeParameters=FOO,BAR_baz,quX}} - one could benefit from another option with a list of masks to allow - something like {{ParametersAction.safeParametersMasks=FOO-\*,Bar-\*-BAR}}  - or even -  {{ParametersAction.safeParametersRegex=separator-\w\{8}-\w\{4}-\w\{4}-\w\{4}\w\{12}|FOO-.*}} .

          I understand that this might theoretically introduce some other security issue, like "malicious plugin creates malicious {{separator-PWNDPWND-PWND-PWND-PWND-PWNDPWNDPWND}} - but it feels much less disastrous than just shutting down all parameters checking via {{keepUndefinedParameters=true}} or ignoring the problem altogether via {{keepUndefinedParameters=false}} .           		New: See JENKINS-66755 for origins of the request.

          From my understanding, there might be parameters that produce auto-generated names of some predictable type that collide with Jenkins {{safeParameter}} filter [introduced|https://www.jenkins.io/blog/2016/05/11/security-update/] with SECURITY-170. It feels to me that in addition to a list of specific parameters to be allowed - {{ParametersAction.safeParameters=FOO,BAR_baz,quX}} - one could benefit from another option with a list of masks to allow - something like {{ParametersAction.safeParametersMasks=FOO\-\*,Bar\-\*\-BAR}}  - or even -  {{ParametersAction.safeParametersRegex=separator\-\w\{8}\-\w\{4}\-\w\{4}\-\w\{4}\w\{12}|FOO\-.\*}} .

          I understand that this might theoretically introduce some other security issue, like "malicious plugin creates malicious {{separator-PWNDPWND-PWND-PWND-PWND-PWNDPWNDPWND}} - but it feels much less disastrous than just shutting down all parameters checking via {{keepUndefinedParameters=true}} or ignoring the problem altogether via {{keepUndefinedParameters=false}} .

            Unassigned Unassigned
            artalus Artalus S.
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: