Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34650

Allow global libraries to bypass the sandbox

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Although you are required to have RUN_SCRIPTS to push anything to workflowLibs, the code is run under the same sandbox settings as the main Pipeline scripts. In the case of a Pipeline script using whole-script approval, it makes sense to be checking RUN_SCRIPTS for libraries. But in the case of Pipeline scripts configured to use the Groovy sandbox, the workflowLibs code is also run in the sandbox—a pointless restriction, since only a trusted user could have written that code. You would expect that the library code would be trusted and run in a privileged mode, so it could safely encapsulate otherwise unsafe method calls.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            Hide
            jglick Jesse Glick added a comment -

            JENKINS-26538 requests the converse, in a sense: libraries that regular users could upload but which could not run unsafe methods.

            Show
            jglick Jesse Glick added a comment - JENKINS-26538 requests the converse, in a sense: libraries that regular users could upload but which could not run unsafe methods.
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-26538 [ JENKINS-26538 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "PR 2 (Web Link)" [ 14275 ]
            jglick Jesse Glick made changes -
            Epic Link JENKINS-35391 [ 171184 ]
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            I'm going to work on this in the context of https://github.com/cloudbees/groovy-cps/pull/36

            Show
            kohsuke Kohsuke Kawaguchi added a comment - I'm going to work on this in the context of https://github.com/cloudbees/groovy-cps/pull/36
            kohsuke Kohsuke Kawaguchi made changes -
            Remote Link This issue links to "Groovy CPS change (Web Link)" [ 14658 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 170820 ] JNJira + In-Review [ 184058 ]
            kohsuke Kohsuke Kawaguchi made changes -
            Remote Link This issue links to "workflow-cps-plugin PR #33 (Web Link)" [ 14662 ]
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            This is the entry point into this series of changes

            Show
            kohsuke Kohsuke Kawaguchi added a comment - This is the entry point into this series of changes
            kohsuke Kohsuke Kawaguchi made changes -
            Remote Link This issue links to "workflow-cps-global-lib-plugin #8 (Web Link)" [ 14663 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-37011 [ JENKINS-37011 ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-31155 [ JENKINS-31155 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            doc/classloader.md
            pom.xml
            src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java
            src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowExecution.java
            src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java
            src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java
            src/main/java/org/jenkinsci/plugins/workflow/cps/GroovyClassLoaderWhitelist.java
            src/main/java/org/jenkinsci/plugins/workflow/cps/GroovyShellDecorator.java
            src/main/java/org/jenkinsci/plugins/workflow/cps/SandboxContinuable.java
            src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowExecutionTest.java
            src/test/resources/trusted/foo.groovy
            http://jenkins-ci.org/commit/workflow-cps-plugin/3a380e7b6905007f3612b57f67d1a2dcd67b9614
            Log:
            Merge pull request #33 from jenkinsci/trusted-classloader

            JENKINS-34650 Added a trusted classloader that runs CPS code outside sandbox

            Compare: https://github.com/jenkinsci/workflow-cps-plugin/compare/da3757932771...3a380e7b6905

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: doc/classloader.md pom.xml src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowExecution.java src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java src/main/java/org/jenkinsci/plugins/workflow/cps/GroovyClassLoaderWhitelist.java src/main/java/org/jenkinsci/plugins/workflow/cps/GroovyShellDecorator.java src/main/java/org/jenkinsci/plugins/workflow/cps/SandboxContinuable.java src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowExecutionTest.java src/test/resources/trusted/foo.groovy http://jenkins-ci.org/commit/workflow-cps-plugin/3a380e7b6905007f3612b57f67d1a2dcd67b9614 Log: Merge pull request #33 from jenkinsci/trusted-classloader JENKINS-34650 Added a trusted classloader that runs CPS code outside sandbox Compare: https://github.com/jenkinsci/workflow-cps-plugin/compare/da3757932771...3a380e7b6905
            jglick Jesse Glick made changes -
            Status In Review [ 10005 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            abayer Andrew Bayer made changes -
            Component/s pipeline-general [ 21692 ]
            abayer Andrew Bayer made changes -
            Component/s workflow-plugin [ 18820 ]
            jglick Jesse Glick made changes -
            Link This issue is blocking JENKINS-32731 [ JENKINS-32731 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java
            src/main/java/org/jenkinsci/plugins/docker/workflow/ImageNameTokens.java
            http://jenkins-ci.org/commit/docker-workflow-plugin/abe4066b6b4eb1af3e922897add192df4e0294ef
            Log:
            JENKINS-32731 JENKINS-34650 Docker.groovy is already trusted.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java src/main/java/org/jenkinsci/plugins/docker/workflow/ImageNameTokens.java http://jenkins-ci.org/commit/docker-workflow-plugin/abe4066b6b4eb1af3e922897add192df4e0294ef Log: JENKINS-32731 JENKINS-34650 Docker.groovy is already trusted.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java
            src/main/java/org/jenkinsci/plugins/docker/workflow/ImageNameTokens.java
            src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy
            http://jenkins-ci.org/commit/docker-workflow-plugin/223612bc8378cc3e02cc6fecee1416c5bd533af9
            Log:
            Merge pull request #75 from jglick/GlobalVariable-JENKINS-32731

            JENKINS-32731 JENKINS-34650 Docker.groovy is already trusted

            Compare: https://github.com/jenkinsci/docker-workflow-plugin/compare/1f5f9d0147c4...223612bc8378

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/docker/workflow/DockerDSL.java src/main/java/org/jenkinsci/plugins/docker/workflow/ImageNameTokens.java src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy http://jenkins-ci.org/commit/docker-workflow-plugin/223612bc8378cc3e02cc6fecee1416c5bd533af9 Log: Merge pull request #75 from jglick/GlobalVariable- JENKINS-32731 JENKINS-32731 JENKINS-34650 Docker.groovy is already trusted Compare: https://github.com/jenkinsci/docker-workflow-plugin/compare/1f5f9d0147c4...223612bc8378

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: