Solved security problems in PostBuildScript Plugin

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Solved security problems in PostBuildScript Plugin

Daniel Heid
Hi everyone,

I tried to fix the arbritrary code execution vulnerability in the PostBuildScript plugin by using the SecureGroovyScript recommendation (https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin).

You'll find the pull request here:

https://github.com/jenkinsci/postbuildscript-plugin/pull/15

If Gregory doesn't maintain the plugin any longer, I volunteer to adopt it. What do you think about that, Gregory?

My GitHub and jenkins.io IDs are both dheid

Kind regards

Daniel



--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/59d803a8-5d53-4296-9462-625499a30f9b%40email.android.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Solved security problems in PostBuildScript Plugin

Jesse Glick-4
On Fri, Oct 27, 2017 at 4:22 PM, Daniel Heid <[hidden email]> wrote:
> I tried to fix the arbritrary code execution vulnerability in the
> PostBuildScript plugin

Why not just use the Groovy Postbuild plugin, which has comparable
functionality (IIUC) but is long since secured, and better maintained?

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2u_U4x9EN7AJQT6%3D9kbJDnCCCMqTWwo%3DoJ-yUBwO5zZg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Solved security problems in PostBuildScript Plugin

Daniel Heid
Because there are users that simply want to execute shell scripts.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0d7c4b25-8cb7-4a92-b7d4-3fdc35a6f119%40email.android.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Solved security problems in PostBuildScript Plugin

Daniel Beck
In reply to this post by Jesse Glick-4

> On 30. Oct 2017, at 15:59, Jesse Glick <[hidden email]> wrote:
>
> Why not just use the Groovy Postbuild plugin, which has comparable
> functionality (IIUC) but is long since secured, and better maintained?

Doesn't replace the regular 'shell' script feature of the plugin though.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/230F1A08-E403-46F4-A88C-AA960C361B7C%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Solved security problems in PostBuildScript Plugin

Daniel Heid
And I volunteer in adopting the plugin to maintain it. I already solved three issues.

Am 30.10.2017 7:10 nachm. schrieb Daniel Beck <[hidden email]>:


> On 30. Oct 2017, at 15:59, Jesse Glick <[hidden email]> wrote:
>
> Why not just use the Groovy Postbuild plugin, which has comparable
> functionality (IIUC) but is long since secured, and better maintained?

Doesn't replace the regular 'shell' script feature of the plugin though.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/230F1A08-E403-46F4-A88C-AA960C361B7C%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7ec04fda-25b1-40df-b596-7b2351675180%40email.android.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Solved security problems in PostBuildScript Plugin

Daniel Heid
In reply to this post by Daniel Heid
Hello again,

Gregory didn't answer yet. It seems like he doesn't maintain the plugin since 2015.

Since I'm using the plugin a lot (with shell scripts), I don't want it to be lost. Is it possible that someone at least merges my pull request? I'm still interested in maintaining the plugin.

Thank you very much in advance!

Kind regards

Daniel


Am 30.10.2017 4:15 nachm. schrieb Daniel Heid <[hidden email]>:
Because there are users that simply want to execute shell scripts.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/0d7c4b25-8cb7-4a92-b7d4-3fdc35a6f119%40email.android.com?utm_medium&#61;email&amp;utm_source&#61;footer">https://groups.google.com/d/msgid/jenkinsci-dev/0d7c4b25-8cb7-4a92-b7d4-3fdc35a6f119%40email.android.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/93edcf4c-8838-4aa1-9430-c7b5436e38de%40email.android.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Solved security problems in PostBuildScript Plugin

Patrick Pierson
I'd merge if I could. As one of the users that just wants to execute a shell script at the end of my build I don't want to have to write groovy to do so.

Jenkins team approved him so I can get builds working again please. 

On Thursday, November 2, 2017 at 3:50:34 AM UTC-4, Daniel Heid wrote:
Hello again,

Gregory didn't answer yet. It seems like he doesn't maintain the plugin since 2015.

Since I'm using the plugin a lot (with shell scripts), I don't want it to be lost. Is it possible that someone at least merges my pull request? I'm still interested in maintaining the plugin.

Thank you very much in advance!

Kind regards

Daniel


Am 30.10.2017 4:15 nachm. schrieb Daniel Heid <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="2hDXoKkUCAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dh...@...>:
Because there are users that simply want to execute shell scripts.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="2hDXoKkUCAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/0d7c4b25-8cb7-4a92-b7d4-3fdc35a6f119%40email.android.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/0d7c4b25-8cb7-4a92-b7d4-3fdc35a6f119%40email.android.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/0d7c4b25-8cb7-4a92-b7d4-3fdc35a6f119%40email.android.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/0d7c4b25-8cb7-4a92-b7d4-3fdc35a6f119%40email.android.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/72691209-0b3f-4843-a61c-b6a8adfaabbb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Solved security problems in PostBuildScript Plugin

Daniel Beck
In reply to this post by Daniel Heid

> On 30. Oct 2017, at 19:32, Daniel Heid <[hidden email]> wrote:
>
> And I volunteer in adopting the plugin to maintain it. I already solved three issues.

Great! I responded in https://github.com/jenkinsci/postbuildscript-plugin/pull/15 what the next steps are. Sorry for the delay.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/918724B8-8D5F-4331-A94F-A8F0DF416355%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Solved security problems in PostBuildScript Plugin

Daniel Heid
Many thanks! I added a Jenkinsfile amd released new version 0.18 that includes the security fix and solves another bug. Also I did a pull request on the Job DSL plugin to remove the deprecations.

It would be very kind if you would merge https://github.com/jenkins-infra/backend-update-center2/pull/169 to remove the blacklisting. Thanks again!

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/879bb9d3-2a30-4920-9899-104673e11eaa%40email.android.com.
For more options, visit https://groups.google.com/d/optout.