Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35514

Ability to disable script console

    Details

    • Similar Issues:

      Description

      The administrative script console allows very broad access to Jenkins, and this has been a source of vulnerabilities in the past, e.g.
      https://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console
      https://duckduckgo.com/?q=jenkins+script+console+java+execution&ia=web

      My team never uses this feature, and we'd like to reduce our attack surface by disabling the console completely, preferably from the system-level Jenkins config (/etc/sysconfig/jenkins on Linux). Is there an existing undocumented option for that? If not, will it be possible to add such an option?

      We do have mandatory auth and access control, but still would like to disable this feature.

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Theoretically it should be enough to disable the Jenkins.RUN_SCRIPTS permission in Authorization strategy, which does blocks permission inheritance. It would also block the groovy script CLI command.

            BTW I'm not sure which strategy provides such functionality

            Show
            oleg_nenashev Oleg Nenashev added a comment - Theoretically it should be enough to disable the Jenkins.RUN_SCRIPTS permission in Authorization strategy, which does blocks permission inheritance. It would also block the groovy script CLI command. BTW I'm not sure which strategy provides such functionality
            Hide
            danielbeck Daniel Beck added a comment -

            this has been a source of vulnerabilities in the past

            The CSRF protection option has existed for years and will have prevented those. Since Jenkins 2, it's enabled by default.

            Show
            danielbeck Daniel Beck added a comment - this has been a source of vulnerabilities in the past The CSRF protection option has existed for years and will have prevented those. Since Jenkins 2, it's enabled by default.
            Hide
            danielbeck Daniel Beck added a comment -

            Probably a case of moving these scripting capabilities to a plugin. I think there's already an issue for it.

            Show
            danielbeck Daniel Beck added a comment - Probably a case of moving these scripting capabilities to a plugin. I think there's already an issue for it.
            Hide
            dskrvk Dmitry Erastov added a comment -

            My original point was that even though the individual vulnerabilities or even vulnerability classes have been since fixed, the console still provides very broad privileges on the local Jenkins installation (and potentially local system, if the run-as user is misconfigured). If a particular team doesn't use the console, why should they have this potential security risk?

            Show
            dskrvk Dmitry Erastov added a comment - My original point was that even though the individual vulnerabilities or even vulnerability classes have been since fixed, the console still provides very broad privileges on the local Jenkins installation (and potentially local system, if the run-as user is misconfigured). If a particular team doesn't use the console, why should they have this potential security risk?
            Hide
            danielbeck Daniel Beck added a comment -

            Pretty much a duplicate of JENKINS-29068 as a plugin can be disabled to remove its functionality.

            Show
            danielbeck Daniel Beck added a comment - Pretty much a duplicate of JENKINS-29068 as a plugin can be disabled to remove its functionality.

              People

              • Assignee:
                Unassigned
                Reporter:
                dskrvk Dmitry Erastov
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: