Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28178

Option to disable sandbox in CpsScmFlowDefinition

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Currently CpsScmFlowDefinition enforces sandbox mode on the grounds that whole-script approval is unrealistic (an administrator would need to approve every SCM revision, and Jenkins cannot automatically approve revisions like it could from GUI changes to a CpsFlowDefinition by an administrator).

      There should however be an option to simply trust the script as it comes from the SCM. This could be checked by default if Jenkins were unsecured; for a secured Jenkins, the default should remain to use the sandbox, though you could switch to trusted mode with a stern warning in form validation explaining that you are responsible for auditing all changes to that SCM repository, and noting that attackers with SCM access could take over control of Jenkins in ways that might make auditing difficult. (For example, someone with push access to a Git repository could push a script which obtains the API token of a legitimate Jenkins administrator, mails it to the attacker, then deletes the current build record; and finally force-push the attacking script out of existence except via the reflog.)

      Pending such an option, the workaround is given by the tutorial here: define a CpsFlowDefinition with an approved script that checks out the SCM and uses load to run it. This has the same effect at the price of more awkward configuration.

        Attachments

          Issue Links

            Activity

            Hide
            metametadata Yuri Govorushchenko added a comment - - edited

            +1 for adding a feature to turn off the script security altogether. I spend a lot of time fighting with this even though everyone is admin on the team. "Permisssive Script Security" plugin is not the best solution as it introduces its own bugs doesn't help with "Script Security Plugin" related bugs, e.g. I've just stumbled upon JENKINS-37527.

            Show
            metametadata Yuri Govorushchenko added a comment - - edited +1 for adding a feature to turn off the script security altogether. I spend a lot of time fighting with this even though everyone is admin on the team. "Permisssive Script Security" plugin is not the best solution as it introduces its own bugs doesn't help with "Script Security Plugin" related bugs, e.g. I've just stumbled upon JENKINS-37527 .
            Hide
            svanoort Sam Van Oort added a comment -

            I've opened a proposal to offer an audit mode as described in JENKINS-47392 to reduce the pain from the script approvals process. 

            Would some of the commenters in this thread like to hop on that and comment about how well that addresses pain points here?

            I'll also mention that the longer-term plan is probably to find better ways to secure Pipeline without resorting to Script Security (we have some options, but need to do some investigation still). 

            Show
            svanoort Sam Van Oort added a comment - I've opened a proposal to offer an audit mode  as described in JENKINS-47392 to reduce the pain from the script approvals process.  Would some of the commenters in this thread like to hop on that and comment about how well that addresses pain points here? I'll also mention that the longer-term plan is probably to find better ways to secure Pipeline without resorting to Script Security (we have some options, but need to do some investigation still). 
            Hide
            progovoy Pavel Rogovoy added a comment -

            +1 for adding a feature to turn off the script security altogether. I spend a lot of time fighting with this even though everyone is admin on the team. "Permisssive Script Security" plugin is not the best solution as it doesn't work for us! I think this feature must be disabled altogether as it performs very awful as for today.

            Show
            progovoy Pavel Rogovoy added a comment - +1 for adding a feature to turn off the script security altogether. I spend a lot of time fighting with this even though everyone is admin on the team. "Permisssive Script Security" plugin is not the best solution as it doesn't work for us! I think this feature must be disabled altogether as it performs very awful as for today.
            Hide
            jonasatwork Jonas Jonsson added a comment -

            As a Jenkins-admin with quite a few system groovy scripts, I would like to white-list certain paths (that contains my version controlled scripts) as 100% secure, so that I (once the change has been submitted) can use the latest and most up-to-date version of my script immediately. 

            May it be pipelines or groovy system scripts, if the Jenkins-admin approve the scripts (before they're executed), they should be allowed to run.

            Show
            jonasatwork Jonas Jonsson added a comment - As a Jenkins-admin with quite a few system groovy scripts, I would like to white-list certain paths (that contains my version controlled scripts) as 100% secure, so that I (once the change has been submitted) can use the latest and most up-to-date version of my script immediately.  May it be pipelines or groovy system scripts, if the Jenkins-admin approve the scripts (before they're executed), they should be allowed to run.
            Hide
            jglick Jesse Glick added a comment -

            Better to use trusted libraries.

            Show
            jglick Jesse Glick added a comment - Better to use trusted libraries.

              People

              • Assignee:
                Unassigned
                Reporter:
                jglick Jesse Glick
              • Votes:
                87 Vote for this issue
                Watchers:
                92 Start watching this issue

                Dates

                • Created:
                  Updated: