ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly

Oleg Nenashev

Dear plugin developers and maintainers,


Just in case you have not been following the JEP-200 threads, this change is going to land in the next weekly.

  • What? JEP-200 switches XStream/Remoting from Blacklist to Whitelist

  • Why? Security concerns about class deserialization. More info is in JEP-200 / Motivation

  • Why is it important? The change implies a high risk of regressions in plugins by design

  • Any particular cases? If you use classes from jar-packaged libraries in Remoting/XStream serialization, you likely have a problem. Classes in plugins are fine


Over the last weeks we have spent much timetesting the change with help of Acceptance Test Harness and Plugin Compat Tester. You can find summaries for the recent tests in this Google Doc. We have discovered and fixed many issues, but obviously we cannot verify all plugins.


Nevertheless, we (as a Security Team) want to release this change in weeklies in order to get it well tested before the next LTS cutoff. We will make sure that all communications is sent to users. Known issues will be tracked on this Wiki page. Jenkins admins will also get explicit error messages, which will point them to this page and to the blogpost with issue reporting guidelines (Pending PR). And of course, we will be tracking issue trackers in order to quickly resolve reported issues or to provide workarounds.


Patterns to be aware of...

  • Serialization over XStream:

    • java.lang.UnsupportedOperationException: Refusing to marshal ${CLASS} for security reasons; see https://jenkins.io/redirect/class-filter/

  • Serialization over Remoting:

    • WARNING    jenkins.security.ClassFilterImpl#lambda$isBlacklisted$1: ${CLASS} in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/


If you are interested in testing your plugin OR in testing the change on your test instances, please see the guidelines below:


How to test your plugin(s)?

  • Manual: Download the Jenkins WAR from here

  • Running functional tests:

    1. Checkout sources from https://github.com/jenkinsci/jenkins/pull/3120

    2. Install local snapshot of the core ("mvn clean install -DskipTests -Dfindbugs.skip=true" takes several minutes)

    3. Update Jenkins core requirement in your pom.xml or Gradle definition

      1. If you use Plugin POM 2.x, specify the "jenkins.version=2.102-SNAPSHOT” and then set the "java.level" property to "8"

      2. For Gradle and old plugin POMs more updates may be required. Your mileage may vary

    4. Run tests


Please do not hesitate to respond to this thread, we will process the questions with the highest priority.


Best regards,

Oleg Nenashev

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b8acba5f-5efb-49e7-853e-c040a7bb2edd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly

Jesse Glick-4
On Thu, Jan 11, 2018 at 1:44 PM, Oleg Nenashev <[hidden email]> wrote:

> Serialization over XStream:
>
> java.lang.UnsupportedOperationException: Refusing to marshal ${CLASS} for
> security reasons; see https://jenkins.io/redirect/class-filter/
>
> Serialization over Remoting:
>
> WARNING    jenkins.security.ClassFilterImpl#lambda$isBlacklisted$1: ${CLASS}
> in JRE might be dangerous, so rejecting; see
> https://jenkins.io/redirect/class-filter/

To clarify, the latter log warning message is printed in any case
(whether triggered by XStream or Remoting), even if the exception is
caught and swallowed. The former message is an example of the detail
message from an exception thrown out of XStream. The corresponding
exception thrown out of Remoting is currently vaguer.

> Checkout sources from https://github.com/jenkinsci/jenkins/pull/3120

This has been merged, so for the period until the 2.102 weekly release
is cut, you would instead check out and merge from master.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr16X6vNFAcmAjOJHGYBtheXdqNoaiXKcwSf84sMhC2_pg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly

Mark Waite-2
In reply to this post by Oleg Nenashev


On Thursday, January 11, 2018 at 11:44:09 AM UTC-7, Oleg Nenashev wrote:

Nevertheless, we (as a Security Team) want to release this change in weeklies in order to get it well tested before the next LTS cutoff. We will make sure that all communications is sent to users. Known issues will be tracked on<a href="https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwiki.jenkins.io%2Fdisplay%2FJENKINS%2FPlugins%2Baffected%2Bby%2Bfix%2Bfor%2BJEP-200\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHS5PxfiQlWlW7OymCfIcnnq7JAVw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwiki.jenkins.io%2Fdisplay%2FJENKINS%2FPlugins%2Baffected%2Bby%2Bfix%2Bfor%2BJEP-200\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHS5PxfiQlWlW7OymCfIcnnq7JAVw&#39;;return true;"> this Wiki page. Jenkins admins will also get explicit error messages, which will point them to this page and to the blogpost with issue reporting guidelines (<a href="https://github.com/jenkins-infra/jenkins.io/pull/1293" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Fjenkins.io%2Fpull%2F1293\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGgIDn4k-U-6pkEyAD7LmV1xh_V1g&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Fjenkins.io%2Fpull%2F1293\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGgIDn4k-U-6pkEyAD7LmV1xh_V1g&#39;;return true;">Pending PR). And of course, we will be tracking issue trackers in order to quickly resolve reported issues or to provide workarounds.


Patterns to be aware of...

  • Serialization over XStream:

    • java.lang.UnsupportedOperationException: Refusing to marshal ${CLASS} for security reasons; see <a href="https://jenkins.io/redirect/class-filter/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fredirect%2Fclass-filter%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMDliMtvDGzzpw3whb0KLiSIjE7A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fredirect%2Fclass-filter%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMDliMtvDGzzpw3whb0KLiSIjE7A&#39;;return true;">https://jenkins.io/redirect/class-filter/

  • Serialization over Remoting:

    • WARNING    jenkins.security.ClassFilterImpl#lambda$isBlacklisted$1: ${CLASS} in JRE might be dangerous, so rejecting; see <a href="https://jenkins.io/redirect/class-filter/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fredirect%2Fclass-filter%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMDliMtvDGzzpw3whb0KLiSIjE7A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fredirect%2Fclass-filter%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMDliMtvDGzzpw3whb0KLiSIjE7A&#39;;return true;">https://jenkins.io/redirect/class-filter/

 
Thanks for doing this.

I've downloaded the latest jenkins.war file from ci.jenkins.io/Core and installed it in my test environment as an upgrade from Jenkins 2.89.3-rc.  

Administrative monitor output appears at startup with the following information:

org.jenkinsci.plugins.workflow.job.WorkflowRunBugs - Individual Checks » JENKINS-43468-continuous-builds-if-pipeline-polling-enabled #1230ConversionException: Refusing to unmarshal textBuilder for security reasons; see https://jenkins.io/redirect/class-filter/ ---- Debugging information ---- class : java.lang.StringBuilder required-type : java.lang.StringBuilder converter-type : hudson.util.XStream2$BlacklistedTypesConverter path : /flow-build/actions/org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildSummaryAction/textBuilder line number : 120 -------------------------------

I've not yet found a way to duplicate the problem in a separate configuration.  I'll continue investigating later today.

Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c273c8cd-958f-4f85-beca-0ed592ce7cdd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly

Oleg Nenashev
Hi Mark,

Thanks for the report!
IIUC this is an issue in Groovy Postbuild plugin, working on a fix.

BR, Oleg

2018-01-13 14:31 GMT+01:00 Mark Waite <[hidden email]>:


On Thursday, January 11, 2018 at 11:44:09 AM UTC-7, Oleg Nenashev wrote:

Nevertheless, we (as a Security Team) want to release this change in weeklies in order to get it well tested before the next LTS cutoff. We will make sure that all communications is sent to users. Known issues will be tracked on this Wiki page. Jenkins admins will also get explicit error messages, which will point them to this page and to the blogpost with issue reporting guidelines (Pending PR). And of course, we will be tracking issue trackers in order to quickly resolve reported issues or to provide workarounds.


Patterns to be aware of...

 
Thanks for doing this.

I've downloaded the latest jenkins.war file from ci.jenkins.io/Core and installed it in my test environment as an upgrade from Jenkins 2.89.3-rc.  

Administrative monitor output appears at startup with the following information:

org.jenkinsci.plugins.workflow.job.WorkflowRunBugs - Individual Checks » JENKINS-43468-continuous-builds-if-pipeline-polling-enabled #1230ConversionException: Refusing to unmarshal textBuilder for security reasons; see https://jenkins.io/redirect/class-filter/ ---- Debugging information ---- class : java.lang.StringBuilder required-type : java.lang.StringBuilder converter-type : hudson.util.XStream2$BlacklistedTypesConverter path : /flow-build/actions/org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildSummaryAction/textBuilder line number : 120 -------------------------------

I've not yet found a way to duplicate the problem in a separate configuration.  I'll continue investigating later today.

Mark Waite

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/EALjDtS4riU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c273c8cd-958f-4f85-beca-0ed592ce7cdd%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDzjkb1SUhEtT7G8Fcag6dAQOjKCqO1%3DVGW_jpZifsg5g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly

Jesse Glick-4
In reply to this post by Mark Waite-2
More details may be in the system log.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1v9wdS%2Bnj6oCg74kcuN14XgENf%2BL6C81o%2B5YB%3DyaVQ7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly

Mark Waite-2
Added some system log entries to the bug report.  Thanks Oleg for writing the bug report.  I'll use bug reports if I find other cases.

Mark Waite

On Sat, Jan 13, 2018 at 10:46 AM Jesse Glick <[hidden email]> wrote:
More details may be in the system log.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1v9wdS%2Bnj6oCg74kcuN14XgENf%2BL6C81o%2B5YB%3DyaVQ7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEL_U4zp70hrLHbnAVm5VCSAd1%3DcB%2BeEEbQV5Awo_s0%3Dw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly

Oleg Nenashev
I have created a pull request against the core, which fixes the plugin (and probably other plugins serializing StringBuilder/StringBuffer).

Meanwhile I see other plugins which are potentially impacted. Will keep the Wiki page up to date


2018-01-13 18:57 GMT+01:00 Mark Waite <[hidden email]>:
Added some system log entries to the bug report.  Thanks Oleg for writing the bug report.  I'll use bug reports if I find other cases.

Mark Waite

On Sat, Jan 13, 2018 at 10:46 AM Jesse Glick <[hidden email]> wrote:
More details may be in the system log.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1v9wdS%2Bnj6oCg74kcuN14XgENf%2BL6C81o%2B5YB%3DyaVQ7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/EALjDtS4riU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEL_U4zp70hrLHbnAVm5VCSAd1%3DcB%2BeEEbQV5Awo_s0%3Dw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLCUzbdJPs2zxHgY1UU4YeYtt_G3OTB8an0-5x5n%3DjruZA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.