[JENKINS-9383] mitigate security issues - Jenkins Jira

XML

Word

Printable

Details

Type: Improvement
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: groovy-postbuild-plugin
Labels:
None

Similar Issues:

Show

Description

The plugin is realy great, but because it exposes internal hudson objects to the enduser. Therefore we are not allowed to use it in our secure environment.

This issue could be mitigated by allowing the systemadminstrator (hudson admin) to disable the exposing of 'hudson', 'buil' and 'listener' references.

Attachments

Issue Links

is related to

JENKINS-15212 More flexible and effective security for Groovy Postbuild

Resolved

Activity

Ascending order - Click to sort in descending order

View 4 older comments

Daniel Beck added a comment - 2013-01-11 17:39

hudson.model.Hudson.instance.doQuietDown() works just fine, security or not.

Maybe take a look at how email-ext resolved ~~JENKINS-15213~~?

Daniel Beck added a comment - 2013-01-11 17:39 hudson.model.Hudson.instance.doQuietDown() works just fine, security or not. Maybe take a look at how email-ext resolved JENKINS-15213 ?

Jesse Glick added a comment - 2014-04-01 20:01

Closing since ~~JENKINS-15212~~ covers the ineffectiveness of the current solution.

Jesse Glick added a comment - 2014-04-01 20:01 Closing since JENKINS-15212 covers the ineffectiveness of the current solution.

Daniel Beck added a comment - 2014-04-01 20:03 - edited

(Edited: Too late, PR done)

Jesse: Note that 15212 also mentions the need for a more extensive API to make the plugin in a secured environment not just useable, but useful – too many basic action requires falling back to the manager. Maybe use this one for the sandboxing, and keep 15212 for the API changes?

Daniel Beck added a comment - 2014-04-01 20:03 - edited (Edited: Too late, PR done) Jesse: Note that 15212 also mentions the need for a more extensive API to make the plugin in a secured environment not just useable, but useful – too many basic action requires falling back to the manager. Maybe use this one for the sandboxing, and keep 15212 for the API changes?

Jesse Glick added a comment - 2014-04-01 20:16

The PR for ~~JENKINS-15212~~ does include whitelisting of the BadgeManager methods I felt were clearly safe. An individual admin can always manually whitelist others, or further plugin updates could include more whitelisted methods with reviewed semantics. Also a job developer can run the script outside the sandbox if the admin approves the whole script, which is less convenient but always available as a last resort.

Jesse Glick added a comment - 2014-04-01 20:16 The PR for JENKINS-15212 does include whitelisting of the BadgeManager methods I felt were clearly safe. An individual admin can always manually whitelist others, or further plugin updates could include more whitelisted methods with reviewed semantics. Also a job developer can run the script outside the sandbox if the admin approves the whole script, which is less convenient but always available as a last resort.

Daniel Beck added a comment - 2014-04-01 20:27

Right, forgot about the sandboxing being optional. Thanks for taking care of this issue!

Daniel Beck added a comment - 2014-04-01 20:27 Right, forgot about the sandboxing being optional. Thanks for taking care of this issue!

People

Assignee:: Stefan Wolf

Reporter:: Dominik Bartholdi

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2011-04-15 08:12

Updated:: 2014-04-01 20:27

Resolved:: 2014-04-01 20:01