Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24399

Modifying files in class directories can bypass approval in script-security (or class directories are accepted as classpaths)

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: script-security-plugin
    • Labels:
      None
    • Environment:
      Jenkins 1.509.4, script-security 1.5, Java 1.7.0_45, Windows 8 (64bit)
    • Similar Issues:

      Description

      • script-security 1.5 introduced "Additional classpath".
      • Those classpaths require administrators' approval.
      • Class directories are valid for "Additional classpath".
      • Once class directories are appoved, adding or replacing files in sub directories of those class directories no longer require approval.
      • This should allow users to use classes that administrators doesn't want to allow.

      Possible resolution:

      • Don't allow class directories for "Additional classpath"
        • This doesn't cause critical regressions as it is easy to create jar file from class directories.
      • When a class directory is specified, check all files in the class directory.
      • Leave this as a limitation.

      I'll add a test and send a pull request to see this behavior.

        Attachments

          Activity

            People

            • Assignee:
              andresrc Andres Rodriguez
              Reporter:
              ikedam ikedam
            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: