Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16980

build flow need sandboxing

    XMLWordPrintable

Details

    Description

      build flow allows to run arbitrary Groovy code as flow DSL. Can be used by a user with "Job.CONFIGURE" permission to kill the instance :

      b = build("someJob") 
      b.project.parent.doQuietDown()
      

      Attachments

        Activity

          need for https://github.com/kohsuke/groovy-sandbox
          also, as "b" in previous sample is a JobInvocation, not the actual Build object, could blacklist some methods to sanityze the DSL

          ndeloof Nicolas De Loof added a comment - need for https://github.com/kohsuke/groovy-sandbox also, as "b" in previous sample is a JobInvocation, not the actual Build object, could blacklist some methods to sanityze the DSL
          danielbeck Daniel Beck added a comment - Simple fix until a proper solution can be designed in https://github.com/jenkinsci/build-flow-plugin/pull/33 (Shameless ripoff of https://github.com/jenkinsci/envinject-plugin/commit/96a526963b53819828c3a58ad7ea25dd8bfba244 )

          Code changed in jenkins
          User: Daniel Beck
          Path:
          src/main/java/com/cloudbees/plugins/flow/BuildFlow.java
          src/main/resources/com/cloudbees/plugins/flow/BuildFlow/configure-entries.jelly
          http://jenkins-ci.org/commit/build-flow-plugin/12ef23ec8fd8df2666635cd7fd6e2ed8bd981a19
          Log:
          Temporary fix for JENKINS-16980, prevent users without RUN_SCRIPTS permission from editing Groovy DSL

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: src/main/java/com/cloudbees/plugins/flow/BuildFlow.java src/main/resources/com/cloudbees/plugins/flow/BuildFlow/configure-entries.jelly http://jenkins-ci.org/commit/build-flow-plugin/12ef23ec8fd8df2666635cd7fd6e2ed8bd981a19 Log: Temporary fix for JENKINS-16980 , prevent users without RUN_SCRIPTS permission from editing Groovy DSL
          emanuelez emanuelez added a comment - Will this help? https://github.com/jenkinsci/script-security-plugin
          jglick Jesse Glick added a comment -

          It could. I would not expect the integration to be easy in this case, because of Build Flow primitives which in turn require additional permission checks.

          jglick Jesse Glick added a comment - It could. I would not expect the integration to be easy in this case, because of Build Flow primitives which in turn require additional permission checks.

          People

            Unassigned Unassigned
            ndeloof Nicolas De Loof
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated: