Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25348

Multiple copies of groovy-sandbox jar compromises security

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      XMLEscapingTemplateEngine compiles a script with uberClassLoader. When SandboxTransformer runs and generates all sorts of references to Checker.checkedCall(...) and etc., these symbolic references are resolved against uberClassLoader.

      If another plugin happens to have groovy-sandbox.jar (like email-ext plugin does), then these calls will resolve against that, which means none of the interceptor will be invoked.

      script security plugin needs to set a custom parent classloader so that references to groovy-sandbox will always be resolved to the one visible from script-security.

        Attachments

          Activity

          Hide
          jglick Jesse Glick added a comment -

          It is not this plugin which defines the parent class loader and creates a GroovyShell; it is its caller. (Unless you happen to be using the SecureGroovyScript convenience, but some callers do not.) https://github.com/search?q=GroovySandbox.createSecureCompilerConfiguration&type=Code

          Show
          jglick Jesse Glick added a comment - It is not this plugin which defines the parent class loader and creates a GroovyShell ; it is its caller. (Unless you happen to be using the SecureGroovyScript convenience, but some callers do not.) https://github.com/search?q=GroovySandbox.createSecureCompilerConfiguration&type=Code
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          pom.xml
          http://jenkins-ci.org/commit/email-ext-plugin/985892a861802c5ad0accd3d8e93abfcc4e1f48d
          Log:
          JENKINS-25348

          Avoid having multiple copies of groovy-sandbox.jar in the Jenkins JVM,
          which compromises the security.

          I think it makes sense for the script-security plugin to own this
          library, so instead let's depend on that plugin to provide a canonical
          copy.

          There's still a separate fix that needs to happen in script-security
          plugin and its client plugins, but in the mean time this fix plugs the
          hole as email-ext-plugin is the only other plugin in the jenkinsci org
          that brings its own copy of groovy-sandbox

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml http://jenkins-ci.org/commit/email-ext-plugin/985892a861802c5ad0accd3d8e93abfcc4e1f48d Log: JENKINS-25348 Avoid having multiple copies of groovy-sandbox.jar in the Jenkins JVM, which compromises the security. I think it makes sense for the script-security plugin to own this library, so instead let's depend on that plugin to provide a canonical copy. There's still a separate fix that needs to happen in script-security plugin and its client plugins, but in the mean time this fix plugs the hole as email-ext-plugin is the only other plugin in the jenkinsci org that brings its own copy of groovy-sandbox
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxResolvingClassLoader.java
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
          src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
          http://jenkins-ci.org/commit/script-security-plugin/492dca1da1842c0bd5f7e6ef9d75033a4a43b3eb
          Log:
          [FIXED JENKINS-25348]

          Added necessary additions.
          Now the clients of this plugin needs to be modified to use this newly added method.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxResolvingClassLoader.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java http://jenkins-ci.org/commit/script-security-plugin/492dca1da1842c0bd5f7e6ef9d75033a4a43b3eb Log: [FIXED JENKINS-25348] Added necessary additions. Now the clients of this plugin needs to be modified to use this newly added method.
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          Released script security plugin v1.9 with this change.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - Released script security plugin v1.9 with this change.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          cps/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java
          pom.xml
          http://jenkins-ci.org/commit/workflow-plugin/ed56f117ca80b1b79cef01de80360d99f613990e
          Log:
          JENKINS-25348

          Use the new wrapper classloader to ensure groovy-sandbox resolves
          correctly.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: cps/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java pom.xml http://jenkins-ci.org/commit/workflow-plugin/ed56f117ca80b1b79cef01de80360d99f613990e Log: JENKINS-25348 Use the new wrapper classloader to ensure groovy-sandbox resolves correctly.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          cps/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java
          http://jenkins-ci.org/commit/workflow-cps-plugin/eb4198853cf62b045ab81e917019e41779512eed
          Log:
          JENKINS-25348

          Use the new wrapper classloader to ensure groovy-sandbox resolves
          correctly.

          Originally-Committed-As: ed56f117ca80b1b79cef01de80360d99f613990e

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: cps/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java http://jenkins-ci.org/commit/workflow-cps-plugin/eb4198853cf62b045ab81e917019e41779512eed Log: JENKINS-25348 Use the new wrapper classloader to ensure groovy-sandbox resolves correctly. Originally-Committed-As: ed56f117ca80b1b79cef01de80360d99f613990e

            People

            • Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              kohsuke Kohsuke Kawaguchi
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: