The script-security plugin already has a blacklist of dangerous method signatures that admins should probably not approve. Methods in this blacklist provide an extra warning when they are being approved, but perhaps that warning is not severe enough, as I have heard multiple reports of users accidentally causing a denial of service attack on their Jenkins instance with a Pipeline that runs System.exit.
- Make methods which are very unlikely to have legitimate use cases even in an environment where only admins are writing sandboxed scripts unable to be approved, such as System.exit (could be opt-in or opt-out with a system property?).
- For RejectedAccessExceptions where isDangerous returns true, provide per-signature documentation on the issues, and require the user to re-type the method signature or wait 10 seconds before they can approve the signature in the hope that providing the user with a better understanding of the problems will keep them from approving these methods.
- Create an admin monitor that warns when blacklisted methods are in the approved list, and gives admins a one-click way to unapprove them. In this case, some kind of additional warning is also likely needed to prevent admins from breaking running jobs without realizing.
|Field||Original Value||New Value|
|Assignee||Andrew Bayer [ abayer ]|
|Summary||Make some methods in the Script Security blacklist unapprovable||Improve UX to prevent admins from approving blacklisted methods without understanding the impact|