Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47736

JEP-200: Switch Remoting/XStream blacklist to a whitelist

    Details

    • Epic Name:
      JEP-200: Switch Remoting/XStream blacklist to a whitelist
    • Similar Issues:

      Description

      Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            I filed a JEP which should be referred to for all details.

            Show
            jglick Jesse Glick added a comment - I filed a JEP which should be referred to for all details.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/registry/notification/webhook/dockerregistry/DockerRegistryWebHookPayload.java
            http://jenkins-ci.org/commit/dockerhub-notification-plugin/162947aa5d4267fbb25ea8528c4fcdf2186eb31e
            Log:
            JENKINS-47736 Unnecessary serialization of a JSONObject.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/registry/notification/webhook/dockerregistry/DockerRegistryWebHookPayload.java http://jenkins-ci.org/commit/dockerhub-notification-plugin/162947aa5d4267fbb25ea8528c4fcdf2186eb31e Log: JENKINS-47736 Unnecessary serialization of a JSONObject.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/registry/notification/webhook/dockerregistry/DockerRegistryWebHookPayload.java
            http://jenkins-ci.org/commit/dockerhub-notification-plugin/9641b4f4d9d416119f9bc803a132994a9278340d
            Log:
            Merge pull request #16 from jglick/whitelist-JENKINS-47736

            JENKINS-47736 Unnecessary serialization of a JSONObject

            Compare: https://github.com/jenkinsci/dockerhub-notification-plugin/compare/59320217be7a...9641b4f4d9d4

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/registry/notification/webhook/dockerregistry/DockerRegistryWebHookPayload.java http://jenkins-ci.org/commit/dockerhub-notification-plugin/9641b4f4d9d416119f9bc803a132994a9278340d Log: Merge pull request #16 from jglick/whitelist- JENKINS-47736 JENKINS-47736 Unnecessary serialization of a JSONObject Compare: https://github.com/jenkinsci/dockerhub-notification-plugin/compare/59320217be7a...9641b4f4d9d4
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            jep/200/README.adoc
            http://jenkins-ci.org/commit/jep/feb7c55886d3ccf494537e1f35780b4166e699e1
            Log:
            DRAFT: JEP-200: Switch Remoting/XStream blacklist to a whitelist (#23)

            • Changes from proofreading.
            • Some notes on testing, as newly required in #24.
            • Noting RemoteClassLoader rule.
            • Formatting for links
            • Replace plus with backtick
            • Assign JEP Number: 200
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: jep/200/README.adoc http://jenkins-ci.org/commit/jep/feb7c55886d3ccf494537e1f35780b4166e699e1 Log: DRAFT: JEP-200: Switch Remoting/XStream blacklist to a whitelist (#23) JENKINS-47736 Draft JEP. Changes from proofreading. Some notes on testing, as newly required in #24. Noting RemoteClassLoader rule. Formatting for links Replace plus with backtick Assign JEP Number: 200
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jvnet/hudson/test/MockQueueItemAuthenticator.java
            http://jenkins-ci.org/commit/jenkins-test-harness/3d9ebde50cf9dfcb297588f57d50905f8f94accc
            Log:
            JENKINS-47736 Do not even try to persist an Authentication.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jvnet/hudson/test/MockQueueItemAuthenticator.java http://jenkins-ci.org/commit/jenkins-test-harness/3d9ebde50cf9dfcb297588f57d50905f8f94accc Log: JENKINS-47736 Do not even try to persist an Authentication.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jvnet/hudson/test/MockQueueItemAuthenticator.java
            http://jenkins-ci.org/commit/jenkins-test-harness/0639913590297601158e9aca395c3461005357df
            Log:
            Merge pull request #81 from jglick/whitelist-JENKINS-47736

            JENKINS-47736 Do not even try to persist an Authentication

            Compare: https://github.com/jenkinsci/jenkins-test-harness/compare/52ef2fe2a457...063991359029

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jvnet/hudson/test/MockQueueItemAuthenticator.java http://jenkins-ci.org/commit/jenkins-test-harness/0639913590297601158e9aca395c3461005357df Log: Merge pull request #81 from jglick/whitelist- JENKINS-47736 JENKINS-47736 Do not even try to persist an Authentication Compare: https://github.com/jenkinsci/jenkins-test-harness/compare/52ef2fe2a457...063991359029
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/test/java/hudson/plugins/copyartifact/CopyArtifactTest.java
            http://jenkins-ci.org/commit/copyartifact-plugin/e225ab7c034eb424a59372d55ac020aca8fe762f
            Log:
            Avoid a warning under JENKINS-47736.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/test/java/hudson/plugins/copyartifact/CopyArtifactTest.java http://jenkins-ci.org/commit/copyartifact-plugin/e225ab7c034eb424a59372d55ac020aca8fe762f Log: Avoid a warning under JENKINS-47736 .
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            I am going to convert it to EPIC so that we can track other action items separately

            Show
            oleg_nenashev Oleg Nenashev added a comment - I am going to convert it to EPIC so that we can track other action items separately
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            pom.xml
            http://jenkins-ci.org/commit/lib-jenkins-maven-embedder/fdf0ac0ce2fac2d706ddca98b06cd825cbdfe319
            Log:
            Merge pull request #15 from jglick/Jenkins-ClassFilter-Whitelisted

            JENKINS-47736 Jenkins-ClassFilter-Whitelisted

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/lib-jenkins-maven-embedder/fdf0ac0ce2fac2d706ddca98b06cd825cbdfe319 Log: Merge pull request #15 from jglick/Jenkins-ClassFilter-Whitelisted JENKINS-47736 Jenkins-ClassFilter-Whitelisted
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/hudson/remoting/ClassFilter.java
            src/test/java/hudson/remoting/ClassFilterTest.java
            http://jenkins-ci.org/commit/remoting/1fda115f080dc3fc1063ca3496f49bb2853f380e
            Log:
            JENKINS-47736 Introduced ClassFilter.setDefault (#208)

            • Review comments from @oleg-nenashev.
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/hudson/remoting/ClassFilter.java src/test/java/hudson/remoting/ClassFilterTest.java http://jenkins-ci.org/commit/remoting/1fda115f080dc3fc1063ca3496f49bb2853f380e Log: JENKINS-47736 Introduced ClassFilter.setDefault (#208) JENKINS-47736 Introduced ClassFilter.setDefault. Review comments from @oleg-nenashev. JENKINS-47736 - Add some annotations, mostly to kick-off CI
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/util/XStream2.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/java/jenkins/security/ClassFilterImpl.java
            core/src/main/java/jenkins/security/CustomClassFilter.java
            core/src/main/resources/jenkins/security/whitelisted-classes.txt
            pom.xml
            test/pom.xml
            test/src/test/groovy/hudson/cli/BuildCommandTest.groovy
            test/src/test/java/hudson/cli/BuildCommand2Test.java
            test/src/test/java/hudson/util/XStream2Security383Test.java
            test/src/test/java/jenkins/install/InstallUtilTest.java
            test/src/test/java/jenkins/install/SetupWizardTest.java
            test/src/test/java/jenkins/security/ClassFilterImplTest.java
            test/src/test/java/jenkins/security/CustomClassFilterTest.java
            test/src/test/java/jenkins/security/Security218CliTest.java
            test/src/test/java/jenkins/security/Security218Test.java
            test/src/test/resources/plugins/custom-class-filter.jpi
            http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93
            Log:
            JENKINS-47736 Switch Remoting/XStream blacklist to a whitelist.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/util/XStream2.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/jenkins/security/ClassFilterImpl.java core/src/main/java/jenkins/security/CustomClassFilter.java core/src/main/resources/jenkins/security/whitelisted-classes.txt pom.xml test/pom.xml test/src/test/groovy/hudson/cli/BuildCommandTest.groovy test/src/test/java/hudson/cli/BuildCommand2Test.java test/src/test/java/hudson/util/XStream2Security383Test.java test/src/test/java/jenkins/install/InstallUtilTest.java test/src/test/java/jenkins/install/SetupWizardTest.java test/src/test/java/jenkins/security/ClassFilterImplTest.java test/src/test/java/jenkins/security/CustomClassFilterTest.java test/src/test/java/jenkins/security/Security218CliTest.java test/src/test/java/jenkins/security/Security218Test.java test/src/test/resources/plugins/custom-class-filter.jpi http://jenkins-ci.org/commit/jenkins/903b4461d37170ccda49ce6637adf7cf4a261b93 Log: JENKINS-47736 Switch Remoting/XStream blacklist to a whitelist.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            pom.xml
            http://jenkins-ci.org/commit/jenkins/29362a5b7b94ddfe0ead38c423c54c81bfced53d
            Log:
            JENKINS-47736 - Use the new snapshot: remoting-3.16-20171228.162243-1

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/29362a5b7b94ddfe0ead38c423c54c81bfced53d Log: JENKINS-47736 - Use the new snapshot: remoting-3.16-20171228.162243-1
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            pom.xml
            http://jenkins-ci.org/commit/jenkins/88e756de6fe6c3333658e6d4be6aad2323a63e09
            Log:
            JENKINS-47736 - Use the released version of Remoting 3.16

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/88e756de6fe6c3333658e6d4be6aad2323a63e09 Log: JENKINS-47736 - Use the released version of Remoting 3.16
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/PluginManager.java
            core/src/main/java/hudson/util/XStream2.java
            core/src/main/java/jenkins/MasterToSlaveFileCallable.java
            core/src/main/java/jenkins/SlaveToMasterFileCallable.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/java/jenkins/security/ClassFilterImpl.java
            core/src/main/java/jenkins/security/CustomClassFilter.java
            core/src/main/java/jenkins/security/MasterToSlaveCallable.java
            core/src/main/java/jenkins/security/SlaveToMasterCallable.java
            core/src/main/resources/jenkins/security/whitelisted-classes.txt
            pom.xml
            test/src/test/java/hudson/util/XStream2Security383Test.java
            test/src/test/java/jenkins/install/InstallUtilTest.java
            test/src/test/java/jenkins/install/SetupWizardTest.java
            test/src/test/java/jenkins/security/ClassFilterImplTest.java
            test/src/test/java/jenkins/security/CustomClassFilterTest.java
            test/src/test/java/jenkins/security/Security218CliTest.java
            test/src/test/java/jenkins/security/Security218Test.java
            test/src/test/resources/plugins/custom-class-filter.jpi
            http://jenkins-ci.org/commit/jenkins/cb4903c20e788f015f6210a965a2759009ff24f2
            Log:
            [JEP-200] JENKINS-47736 Merged #3120: ClassFilterImpl

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/util/XStream2.java core/src/main/java/jenkins/MasterToSlaveFileCallable.java core/src/main/java/jenkins/SlaveToMasterFileCallable.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/jenkins/security/ClassFilterImpl.java core/src/main/java/jenkins/security/CustomClassFilter.java core/src/main/java/jenkins/security/MasterToSlaveCallable.java core/src/main/java/jenkins/security/SlaveToMasterCallable.java core/src/main/resources/jenkins/security/whitelisted-classes.txt pom.xml test/src/test/java/hudson/util/XStream2Security383Test.java test/src/test/java/jenkins/install/InstallUtilTest.java test/src/test/java/jenkins/install/SetupWizardTest.java test/src/test/java/jenkins/security/ClassFilterImplTest.java test/src/test/java/jenkins/security/CustomClassFilterTest.java test/src/test/java/jenkins/security/Security218CliTest.java test/src/test/java/jenkins/security/Security218Test.java test/src/test/resources/plugins/custom-class-filter.jpi http://jenkins-ci.org/commit/jenkins/cb4903c20e788f015f6210a965a2759009ff24f2 Log: [JEP-200] JENKINS-47736 Merged #3120: ClassFilterImpl
            Hide
            jglick Jesse Glick added a comment -

            Merged toward 2.102.

            Show
            jglick Jesse Glick added a comment - Merged toward 2.102.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: