Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50990

Security exception in GitChangelogStep (JEP-200)

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Seems JEP-200 hit

      Pipeline fragment:
      def changes = gitChangelog returnType: 'CONTEXT',
      from: [type: 'REF', value: env.GERRIT_BRANCH /*env.GIT_PREVIOUS_COMMIT*/],
      to: [type: 'COMMIT', value: env.GERRIT_PATCHSET_REVISION /*env.GIT__COMMIT*/],
      jira: [issuePattern: 'XXX-([0-9]+)
      b', password: '', server: '', username: '']

      Output:
      java.lang.SecurityException: Rejected: se.bjurr.gitchangelog.api.model.Changelog; see https://jenkins.io/redirect/class-filter/
      at hudson.remoting.ClassFilter.check(ClassFilter.java:76)
      at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
      at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1859)
      at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1745)
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2033)
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1567)
      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:427)
      at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
      at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
      at hudson.remoting.Channel.call(Channel.java:952)
      Caused: java.io.IOException: Failed to deserialize response to UserRequest:org.jenkinsci.plugins.gitchangelog.steps.GitChangelogStep$1$1@6c04f8e1
      at hudson.remoting.Channel.call(Channel.java:960)
      at hudson.FilePath.act(FilePath.java:1093)
      at org.jenkinsci.plugins.gitchangelog.steps.GitChangelogStep$1.run(GitChangelogStep.java:329)
      at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1$1.call(SynchronousNonBlockingStepExecution.java:49)
      at hudson.security.ACL.impersonate(ACL.java:290)
      at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1.run(SynchronousNonBlockingStepExecution.java:46)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      at java.lang.Thread.run(Thread.java:748)
      Finished: FAILURE

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Yes, it is JEP-200. The library is hosted here: https://github.com/tomasbjerre/git-changelog-lib . All classes within https://github.com/tomasbjerre/git-changelog-lib/tree/master/src/main/java/se/bjurr/gitchangelog/api/model seem to be safe for serialization, so their whitelisting is likely a way to go

          I will add it it to the wiki

          Show
          oleg_nenashev Oleg Nenashev added a comment - Yes, it is JEP-200. The library is hosted here: https://github.com/tomasbjerre/git-changelog-lib . All classes within https://github.com/tomasbjerre/git-changelog-lib/tree/master/src/main/java/se/bjurr/gitchangelog/api/model seem to be safe for serialization, so their whitelisting is likely a way to go I will add it it to the wiki
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Tomas Bjerre
          Path:
          src/main/resources/META-INF/hudson.remoting.ClassFilter
          http://jenkins-ci.org/commit/git-changelog-plugin/3263104d3a46720909d44175bf9cea951167c6ad
          Log:
          JENKINS-50990 Adding ClassFilter for changelog

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tomas Bjerre Path: src/main/resources/META-INF/hudson.remoting.ClassFilter http://jenkins-ci.org/commit/git-changelog-plugin/3263104d3a46720909d44175bf9cea951167c6ad Log: JENKINS-50990 Adding ClassFilter for changelog
          Hide
          tomasbjerre Tomas Bjerre added a comment -

          I just tried to reproduce this. Was not able to so in 2.118. Not when running in Docker with latest image and not with mvn hpi:run -Djenkins.version=2.118. I was able to create changelogs without problems in both cases.

          This: 

          https://jenkins.io/blog/2018/01/13/jep-200/

          Sounds like I need to add a hudson.remoting.ClassFilter like this:

          https://github.com/jenkinsci/git-changelog-plugin/blob/feature/JENKINS-50990/src/main/resources/META-INF/hudson.remoting.ClassFilter

          Oleg Nenashev Should I add the ClassFilter-file and make a release?

           

          Show
          tomasbjerre Tomas Bjerre added a comment - I just tried to reproduce this. Was not able to so in 2.118. Not when running in Docker with latest image and not with mvn hpi:run -Djenkins.version=2.118. I was able to create changelogs without problems in both cases. This:  https://jenkins.io/blog/2018/01/13/jep-200/ Sounds like I need to add a  hudson.remoting.ClassFilter like this: https://github.com/jenkinsci/git-changelog-plugin/blob/feature/JENKINS-50990/src/main/resources/META-INF/hudson.remoting.ClassFilter Oleg Nenashev Should I add the ClassFilter-file and make a release?  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Tomas Bjerre in order to reproduce the issue, you should be running plugin on an agent connected to the master over remoting (SSH slaves, JNLP agent, etc.)

          Regarding the ClassFilter file, it should be fine. You do not need to whitelist interfaces though, they are whitelisted by default

          Show
          oleg_nenashev Oleg Nenashev added a comment - Tomas Bjerre in order to reproduce the issue, you should be running plugin on an agent connected to the master over remoting (SSH slaves, JNLP agent, etc.) Regarding the ClassFilter file, it should be fine. You do not need to whitelist interfaces though, they are whitelisted by default
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Tomas Bjerre
          Path:
          CHANGELOG.md
          docker-slave.sh
          run.sh
          src/main/resources/META-INF/hudson.remoting.ClassFilter
          http://jenkins-ci.org/commit/git-changelog-plugin/ce8bc9268fe79dcd49e2acad7b8ca05325cac410
          Log:
          JENKINS-50990 Adding ClassFilter for changelog

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tomas Bjerre Path: CHANGELOG.md docker-slave.sh run.sh src/main/resources/META-INF/hudson.remoting.ClassFilter http://jenkins-ci.org/commit/git-changelog-plugin/ce8bc9268fe79dcd49e2acad7b8ca05325cac410 Log: JENKINS-50990 Adding ClassFilter for changelog
          Hide
          tomasbjerre Tomas Bjerre added a comment -

          Releasing a fix in 2.3 now.

           

          Sergey Egorov this will be available in the update site within a few hours.

          Show
          tomasbjerre Tomas Bjerre added a comment - Releasing a fix in 2.3 now.   Sergey Egorov this will be available in the update site within a few hours.
          Hide
          egorse Sergey Egorov added a comment -

          Tomas Bjerre Thanks a lot! 2.3 works like a charm!

          Show
          egorse Sergey Egorov added a comment - Tomas Bjerre Thanks a lot! 2.3 works like a charm!
          Show
          oleg_nenashev Oleg Nenashev added a comment - Thanks Tomas Bjerre ! Added it to https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200

            People

            Assignee:
            tomasbjerre Tomas Bjerre
            Reporter:
            egorse Sergey Egorov
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: