Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-40533] Allow definition of sandboxed libraries at global scope #129

Merged
merged 11 commits into from
Jun 17, 2024
Merged

[JENKINS-40533] Allow definition of sandboxed libraries at global scope #129

merged 11 commits into from
Jun 17, 2024

Conversation

Vlatombe
Copy link
Member

This lets users with Jenkins.MANAGE permission define untrusted global libraries.
They can be used in a similar way than folder libraries, except they are available globally.

Testing done

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@Vlatombe Vlatombe requested a review from a team as a code owner June 14, 2024 12:23
@jglick jglick added the enhancement New feature or request label Jun 14, 2024
jglick
jglick approved these changes Jun 14, 2024
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks right.

dwnusbaum
dwnusbaum reviewed Jun 14, 2024
View reviewed changes
src/main/java/org/jenkinsci/plugins/workflow/libs/GlobalUntrustedLibraries.java Outdated
return Jenkins.MANAGE;
}

@Extension(ordinal=0) public static class ForJob extends AbstractForJob {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this implementation needs to wrap the returned libraries in ResolvedLibraryConfiguration like FolderLibraries.ForJob to avoid introducing a new security issue like what was fixed by ace0de3.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe the trust flag is enough though, I am not sure. Either way I would look at old security fixes here carefully to see if anything extra needs to be done to separate the two global configurations in all contexts.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, this is addressed in 98322fb

Copy link
Member

@dwnusbaum dwnusbaum Jun 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the old fix in more detail, I think it was probably fine as you had it originally because of this line:

pipeline-groovy-lib-plugin/src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java

Line 132 in b98828a

String source = kind.getClass().getName();

I think folder-based libraries just needed special treatment to distinguish between folders with the same name defined at different levels since they use the same LibraryResolver class. Since the new untrusted global libraries use a distinct resolver class and only exist in a single place, things should be fine without wrapping LibraryConfigurations. Your changes use getClass().getName() anyway so the behavior should be identical. I didn't try testing it though.

@jglick
Copy link
Member

jglick commented Jun 14, 2024

@dwnusbaum best to “request changes” if in doubt whether there might be a security issue.

dwnusbaum
dwnusbaum approved these changes Jun 14, 2024
View reviewed changes
src/main/java/org/jenkinsci/plugins/workflow/libs/AbstractGlobalLibraries.java Outdated
Comment on lines 90 to 99
return getConfiguration()
.getLibraries()
.stream()
.map(this::mayWrapLibrary)
.collect(Collectors.toList());
}

protected LibraryConfiguration mayWrapLibrary(LibraryConfiguration library) {
return library;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking more carefully, it is probably unnecessary to wrap these, see #129 (comment).

@Vlatombe
Copy link
Member Author

@dwnusbaum can you merge this ?

@dwnusbaum dwnusbaum merged commit e832a92 into jenkinsci:master Jun 17, 2024
14 checks passed
@dwnusbaum dwnusbaum mentioned this pull request Jun 17, 2024
Merged
6 tasks
@Vlatombe Vlatombe deleted the JENKINS-40533 branch June 17, 2024 14:51
@jglick jglick mentioned this pull request Nov 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick approved these changes

@dwnusbaum dwnusbaum dwnusbaum approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Vlatombe @jglick @dwnusbaum