Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24399

Modifying files in class directories can bypass approval in script-security (or class directories are accepted as classpaths)


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • script-security-plugin
    • None
    • Jenkins 1.509.4, script-security 1.5, Java 1.7.0_45, Windows 8 (64bit)

      • script-security 1.5 introduced "Additional classpath".
      • Those classpaths require administrators' approval.
      • Class directories are valid for "Additional classpath".
      • Once class directories are appoved, adding or replacing files in sub directories of those class directories no longer require approval.
      • This should allow users to use classes that administrators doesn't want to allow.

      Possible resolution:

      • Don't allow class directories for "Additional classpath"
        • This doesn't cause critical regressions as it is easy to create jar file from class directories.
      • When a class directory is specified, check all files in the class directory.
      • Leave this as a limitation.

      I'll add a test and send a pull request to see this behavior.

            andresrc Andres Rodriguez
            ikedam ikedam
            1 Vote for this issue
            6 Start watching this issue