Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "Merge pull request #538 from dwnusbaum/post-SECURITY-359" #828

Merged
merged 1 commit into from
Jan 9, 2024
Merged

Revert "Merge pull request #538 from dwnusbaum/post-SECURITY-359" #828

merged 1 commit into from
Jan 9, 2024

Conversation

dwnusbaum
Copy link
Member

Reverts #538.

See #538 (comment).

Testing done

Submitter checklist

Edit tasklist title
Beta Give feedback Tasklist Submitter checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
    Options
  2. Ensure that the pull request title represents the desired changelog entry
    Options
  3. Please describe what you did
    Options
  4. Link to relevant issues in GitHub or Jira
    Options
  5. Link to relevant pull requests, esp. upstream and downstream changes
    Options
  6. Ensure you have provided tests - that demonstrates feature works or fixes the issue
    Options

@dwnusbaum
Revert "Merge pull request jenkinsci#538 from dwnusbaum/post-SECURITY…
86250ad 
…-359"

This reverts commit c43e04d, reversing
changes made to 3a59e40.
@dwnusbaum dwnusbaum added the bug label Jan 9, 2024
@dwnusbaum dwnusbaum requested a review from a team as a code owner January 9, 2024 15:55
dwnusbaum
dwnusbaum commented Jan 9, 2024
View reviewed changes
...ain/resources/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist/default-allowlist
/org/jenkinsci/plugins/docker/workflow/declarative/DockerPipelineFromDockerfileScript.groovy
/org/jenkinsci/plugins/docker/workflow/declarative/DockerPipelineScript.groovy
# kubernetes
/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesDeclarativeAgentScript.groovy
Copy link
Member Author

@dwnusbaum dwnusbaum Jan 9, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW although this was the only reported problem, and the stack trace at least shows that ModelInterpreter.groovy was allowed correctly after the change, almost all of the files here that end with Script.groovy use the same mechanism (WithScriptDescriptor$WithScriptAllowlist), and I don't really have any hypothesis as to why some of them would be affected but not others, so it seems safest to just revert the whole change. WithScriptDescriptor lives in pipeline-model-extensions, so theoretically I would expect scripts in pipeline-model-definition and the other plugins to have the same problems as the script in kubernetes.

@dwnusbaum dwnusbaum requested a review from jglick January 9, 2024 15:58
jglick
jglick approved these changes Jan 9, 2024
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems best as a hotfix while investigations proceed.

@jglick jglick enabled auto-merge January 9, 2024 16:04
@jglick jglick merged commit 3051924 into jenkinsci:master Jan 9, 2024
14 checks passed
@dwnusbaum dwnusbaum deleted the revert-default-allowlist-cleanup branch January 9, 2024 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick approved these changes

@Vlatombe Vlatombe Vlatombe approved these changes

@jtnord jtnord jtnord approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
4 participants
@dwnusbaum @jglick @Vlatombe @jtnord