Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15212

More flexible and effective security for Groovy Postbuild

    Details

    • Similar Issues:

      Description

      At the moment, Groovy Postbuild has a checkbox to enable or disable access to build, listener and hudson properties of the BadgeManager.

      Preventing access to these objects does not prevent access to Hudson via e.g. hudson.model.Hudson.instance, e.g. in the following Postbuild script:

      hudson.model.Hudson.instance.doQuietDown()
      

      So while Postbuild is nice and really useful, there is no way to run it in a secure way at the moment.

      Please improve the feasibility of using Groovy Postbuild in a security conscious environment. A few suggestions:

      1. Copy Groovy Plugin's approach of separating Groovy and System Groovy build steps, making the latter only available for configuration to users with ADMINISTER privileges.

      2. Extend the API of BadgeManager. Something like build.keepLog() or build.setDescription(), or accessing a copy of the build variables map, is pretty harmless and can be exposed to any build.

      3. Run "unprivileged" postbuild scripts in a separate process, and evaluate the output/return value (passed e.g. as JSON) in the Hudson environment to set badges and perform other actions. Changes will happen only at the end of Postbuild execution, but that'd be a reasonable price to pay.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildDescriptor.java
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildSummaryAction.java
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyScriptPath.java
            src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/config.jelly
            src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/global.jelly
            src/main/webapp/classpath-help.html
            src/main/webapp/help-enableGroovyPostBuildSecurity.html
            src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildJenkinsRule.java
            src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorderTest.java
            http://jenkins-ci.org/commit/groovy-postbuild-plugin/00a39a3f1414665f746d58470274ec2a6d23526f
            Log:
            Merge pull request #11 from jglick/script-security

            [FIXED JENKINS-15212] Integrate with Script Security plugin

            Compare: https://github.com/jenkinsci/groovy-postbuild-plugin/compare/853e32dbad11...00a39a3f1414

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildDescriptor.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildSummaryAction.java src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyScriptPath.java src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/config.jelly src/main/resources/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder/global.jelly src/main/webapp/classpath-help.html src/main/webapp/help-enableGroovyPostBuildSecurity.html src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildJenkinsRule.java src/test/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorderTest.java http://jenkins-ci.org/commit/groovy-postbuild-plugin/00a39a3f1414665f746d58470274ec2a6d23526f Log: Merge pull request #11 from jglick/script-security [FIXED JENKINS-15212] Integrate with Script Security plugin Compare: https://github.com/jenkinsci/groovy-postbuild-plugin/compare/853e32dbad11...00a39a3f1414
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            http://jenkins-ci.org/commit/groovy-postbuild-plugin/bd8493379c7979187eecf99da32ffefe23c589b7
            Log:
            JENKINS-15212 Added compatibleSinceVersion to display warnings that upgrading from 1.X requires reconfiguration.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml http://jenkins-ci.org/commit/groovy-postbuild-plugin/bd8493379c7979187eecf99da32ffefe23c589b7 Log: JENKINS-15212 Added compatibleSinceVersion to display warnings that upgrading from 1.X requires reconfiguration.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java
            http://jenkins-ci.org/commit/groovy-postbuild-plugin/6846753d9d994c2c9a0fc654b9ffbce6c2991d6f
            Log:
            JENKINS-15212 removeBadge(s) whitelisted.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java http://jenkins-ci.org/commit/groovy-postbuild-plugin/6846753d9d994c2c9a0fc654b9ffbce6c2991d6f Log: JENKINS-15212 removeBadge(s) whitelisted.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                2 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: