Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22834

Administrator-approved classpath additions

    Details

    • Similar Issues:

      Description

      Since it is not recommended to allow users to add arbitrary classpath elements to scripts, there should be a facility to let administrators define trusted classpath additions (JARs outside of plugins) that users may elect to use from their scripts.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-22835 [ JENKINS-22835 ]
            Hide
            ikedam ikedam added a comment -

            I also want a feature to approve plugins that can be accessed from groovy scripts.

            Show
            ikedam ikedam added a comment - I also want a feature to approve plugins that can be accessed from groovy scripts.
            Hide
            jglick Jesse Glick added a comment -

            I think there is no need for designated access to plugins; should suffice to use PluginManager.uberClassLoader as the default base classloader for scripts, and let particular plugin methods be whitelisted for the sandbox when it is appropriate.

            Show
            jglick Jesse Glick added a comment - I think there is no need for designated access to plugins; should suffice to use PluginManager.uberClassLoader as the default base classloader for scripts, and let particular plugin methods be whitelisted for the sandbox when it is appropriate.
            Hide
            ikedam ikedam added a comment -

            So you mean:

            • As jar files can be added by a non-administrator user, administrators want to control them via script-security-plugin.
            • Plugins are installed only by administrators and administrators already can control them.
            Show
            ikedam ikedam added a comment - So you mean: As jar files can be added by a non-administrator user, administrators want to control them via script-security-plugin. Plugins are installed only by administrators and administrators already can control them.
            Hide
            jglick Jesse Glick added a comment -

            Exactly.

            In the case of approved scripts, custom JARs pose a hypothetical risk, that using Groovy tricks they could be used to make a script do something very different from what it looks to be doing. No such attack should be possible just by depending on a plugin, unless of course the plugin were malicious—but we assume they are not, since if they were, they could already completely control Jenkins.

            In the case of the Groovy sandbox, you can trivially add @Whitelisted to anything in a custom JAR, as well as perhaps using the aforementioned Groovy tricks, so clearly an administrator would need to review the JAR. Plugins which whitelist their own methods are assumed to be doing so because those methods are in fact safe.

            Show
            jglick Jesse Glick added a comment - Exactly. In the case of approved scripts, custom JARs pose a hypothetical risk, that using Groovy tricks they could be used to make a script do something very different from what it looks to be doing. No such attack should be possible just by depending on a plugin, unless of course the plugin were malicious—but we assume they are not, since if they were, they could already completely control Jenkins. In the case of the Groovy sandbox, you can trivially add @Whitelisted to anything in a custom JAR, as well as perhaps using the aforementioned Groovy tricks, so clearly an administrator would need to review the JAR. Plugins which whitelist their own methods are assumed to be doing so because those methods are in fact safe.
            Show
            ikedam ikedam added a comment - Pull request https://github.com/jenkinsci/script-security-plugin/pull/1
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath/config.jelly
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/config.jelly
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
            src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/README.md
            http://jenkins-ci.org/commit/script-security-plugin/1bd2137f24d27a24083b021ed6432d04328edab4
            Log:
            JENKINS-22834 Add a feature to specify additional class paths.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath/config.jelly src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/config.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/README.md http://jenkins-ci.org/commit/script-security-plugin/1bd2137f24d27a24083b021ed6432d04328edab4 Log: JENKINS-22834 Add a feature to specify additional class paths.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/UnapprovedClasspathException.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            http://jenkins-ci.org/commit/script-security-plugin/f02fb0de45f301c2d733ec7283ea18e7951247cc
            Log:
            [FIXED JENKINS-22834] Added feature for classpath approval.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/UnapprovedClasspathException.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly http://jenkins-ci.org/commit/script-security-plugin/f02fb0de45f301c2d733ec7283ea18e7951247cc Log: [FIXED JENKINS-22834] Added feature for classpath approval.
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath/config.jelly
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            http://jenkins-ci.org/commit/script-security-plugin/780459f7057cea7342a8c069b15c487b59ee9a0a
            Log:
            JENKINS-22834 Connect view with controller with ajax.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath/config.jelly src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly http://jenkins-ci.org/commit/script-security-plugin/780459f7057cea7342a8c069b15c487b59ee9a0a Log: JENKINS-22834 Connect view with controller with ajax.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            http://jenkins-ci.org/commit/script-security-plugin/662cab314c964c494e8825d9ea6c8bd2f4af772e
            Log:
            JENKINS-22834 Render classpaths with ajax.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly http://jenkins-ci.org/commit/script-security-plugin/662cab314c964c494e8825d9ea6c8bd2f4af772e Log: JENKINS-22834 Render classpaths with ajax.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            http://jenkins-ci.org/commit/script-security-plugin/f66bf2061857365fc559c1af609304a1678b3f3e
            Log:
            JENKINS-22834 Allow delete an approved classpath.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly http://jenkins-ci.org/commit/script-security-plugin/f66bf2061857365fc559c1af609304a1678b3f3e Log: JENKINS-22834 Allow delete an approved classpath.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
            http://jenkins-ci.org/commit/script-security-plugin/2cf0f0e2588db1c841883db32a2cecf8b5627582
            Log:
            JENKINS-22834 Updated tests to approve classpaths.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java http://jenkins-ci.org/commit/script-security-plugin/2cf0f0e2588db1c841883db32a2cecf8b5627582 Log: JENKINS-22834 Updated tests to approve classpaths.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
            src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/script-security-plugin-testjar.jar
            src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/updated/script-security-plugin-testjar.jar
            http://jenkins-ci.org/commit/script-security-plugin/e78155e370e732c8066a0796d808db7ab8bcb16a
            Log:
            JENKINS-22834 Added tests for classpath identity.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/script-security-plugin-testjar.jar src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/updated/script-security-plugin-testjar.jar http://jenkins-ci.org/commit/script-security-plugin/e78155e370e732c8066a0796d808db7ab8bcb16a Log: JENKINS-22834 Added tests for classpath identity.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath/help-path.html
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/Messages.properties
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/help-additionalClasspathList.html
            http://jenkins-ci.org/commit/script-security-plugin/c00383ed9c1be07ebb047250518846c33a486c26
            Log:
            JENKINS-22834 Added help texts and input validations.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/AdditionalClasspath/help-path.html src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/Messages.properties src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/help-additionalClasspathList.html http://jenkins-ci.org/commit/script-security-plugin/c00383ed9c1be07ebb047250518846c33a486c26 Log: JENKINS-22834 Added help texts and input validations.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
            http://jenkins-ci.org/commit/script-security-plugin/e2b1cb9155bf14cef28b7f16ea63271614d3b05b
            Log:
            JENKINS-22834 Added tests for automatic approval.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java http://jenkins-ci.org/commit/script-security-plugin/e2b1cb9155bf14cef28b7f16ea63271614d3b05b Log: JENKINS-22834 Added tests for automatic approval.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java
            http://jenkins-ci.org/commit/script-security-plugin/c2841deb05927bdd31aafabd0350c29031a6ecbc
            Log:
            JENKINS-22834 Added tests for classpaths handling in the scriptApproval page.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java http://jenkins-ci.org/commit/script-security-plugin/c2841deb05927bdd31aafabd0350c29031a6ecbc Log: JENKINS-22834 Added tests for classpaths handling in the scriptApproval page.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
            http://jenkins-ci.org/commit/script-security-plugin/51c74b6682d8e55acf29440f5404e1f21332e0a8
            Log:
            JENKINS-22834 Pareparation to merge. Revereted unrelated changes.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java http://jenkins-ci.org/commit/script-security-plugin/51c74b6682d8e55acf29440f5404e1f21332e0a8 Log: JENKINS-22834 Pareparation to merge. Revereted unrelated changes.
            Hide
            jglick Jesse Glick added a comment -
            Show
            jglick Jesse Glick added a comment - Working on a variant in: https://github.com/jenkinsci/script-security-plugin/pull/2
            Hide
            jglick Jesse Glick added a comment -

            Not merged to master.

            Show
            jglick Jesse Glick added a comment - Not merged to master .
            jglick Jesse Glick made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            jglick Jesse Glick made changes -
            Status Reopened [ 4 ] Open [ 1 ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ApprovalListener.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalLink.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/UnapprovedClasspathException.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/config.jelly
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/help-classpath.html
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry/config.jelly
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry/help-path.html
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/Messages.properties
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
            src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java
            src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java
            src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/README.md
            src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/script-security-plugin-testjar.jar
            src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/updated/script-security-plugin-testjar.jar
            http://jenkins-ci.org/commit/script-security-plugin/5bc00e8bc41ed0980315fe25e97d81c0e038fa27
            Log:
            Merge pull request #2 from jenkinsci/classpath

            [FIXED JENKINS-22834] Support custom classpaths.

            Compare: https://github.com/jenkinsci/script-security-plugin/compare/ccd8c9282618...5bc00e8bc41e

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ApprovalListener.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalLink.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/UnapprovedClasspathException.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/config.jelly src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/help-classpath.html src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry/config.jelly src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry/help-path.html src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/Messages.properties src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/README.md src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/script-security-plugin-testjar.jar src/test/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest/updated/script-security-plugin-testjar.jar http://jenkins-ci.org/commit/script-security-plugin/5bc00e8bc41ed0980315fe25e97d81c0e038fa27 Log: Merge pull request #2 from jenkinsci/classpath [FIXED JENKINS-22834] Support custom classpaths. Compare: https://github.com/jenkinsci/script-security-plugin/compare/ccd8c9282618...5bc00e8bc41e
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 154962 ] JNJira + In-Review [ 195096 ]

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: