Details

    • Similar Issues:

      Description

      build flow allows to run arbitrary Groovy code as flow DSL. Can be used by a user with "Job.CONFIGURE" permission to kill the instance :

      b = build("someJob") 
      b.project.parent.doQuietDown()
      

        Attachments

          Activity

          Hide
          ndeloof Nicolas De Loof added a comment -

          need for https://github.com/kohsuke/groovy-sandbox
          also, as "b" in previous sample is a JobInvocation, not the actual Build object, could blacklist some methods to sanityze the DSL

          Show
          ndeloof Nicolas De Loof added a comment - need for https://github.com/kohsuke/groovy-sandbox also, as "b" in previous sample is a JobInvocation, not the actual Build object, could blacklist some methods to sanityze the DSL
          Show
          danielbeck Daniel Beck added a comment - Simple fix until a proper solution can be designed in https://github.com/jenkinsci/build-flow-plugin/pull/33 (Shameless ripoff of https://github.com/jenkinsci/envinject-plugin/commit/96a526963b53819828c3a58ad7ea25dd8bfba244 )
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Daniel Beck
          Path:
          src/main/java/com/cloudbees/plugins/flow/BuildFlow.java
          src/main/resources/com/cloudbees/plugins/flow/BuildFlow/configure-entries.jelly
          http://jenkins-ci.org/commit/build-flow-plugin/12ef23ec8fd8df2666635cd7fd6e2ed8bd981a19
          Log:
          Temporary fix for JENKINS-16980, prevent users without RUN_SCRIPTS permission from editing Groovy DSL

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: src/main/java/com/cloudbees/plugins/flow/BuildFlow.java src/main/resources/com/cloudbees/plugins/flow/BuildFlow/configure-entries.jelly http://jenkins-ci.org/commit/build-flow-plugin/12ef23ec8fd8df2666635cd7fd6e2ed8bd981a19 Log: Temporary fix for JENKINS-16980 , prevent users without RUN_SCRIPTS permission from editing Groovy DSL
          Hide
          emanuelez emanuelez added a comment -
          Show
          emanuelez emanuelez added a comment - Will this help? https://github.com/jenkinsci/script-security-plugin
          Hide
          jglick Jesse Glick added a comment -

          It could. I would not expect the integration to be easy in this case, because of Build Flow primitives which in turn require additional permission checks.

          Show
          jglick Jesse Glick added a comment - It could. I would not expect the integration to be easy in this case, because of Build Flow primitives which in turn require additional permission checks.

            People

            • Assignee:
              Unassigned
              Reporter:
              ndeloof Nicolas De Loof
            • Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated: