Solved security problems in PostBuildScript Plugin

[Daniel Heid]

Hi everyone,

I tried to fix the arbritrary code execution vulnerability in the PostBuildScript plugin by using the SecureGroovyScript recommendation (https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin).

You'll find the pull request here:

https://github.com/jenkinsci/postbuildscript-plugin/pull/15

If Gregory doesn't maintain the plugin any longer, I volunteer to adopt it. What do you think about that, Gregory?

My GitHub and jenkins.io IDs are both dheid

Kind regards

Daniel

[Jesse Glick]

On Fri, Oct 27, 2017 at 4:22 PM, Daniel Heid <dh...@posteo.de> wrote:
> I tried to fix the arbritrary code execution vulnerability in the
> PostBuildScript plugin

Why not just use the Groovy Postbuild plugin, which has comparable
functionality (IIUC) but is long since secured, and better maintained?

[Daniel Beck]

> On 30. Oct 2017, at 15:59, Jesse Glick <jgl...@cloudbees.com> wrote:
>
> Why not just use the Groovy Postbuild plugin, which has comparable
> functionality (IIUC) but is long since secured, and better maintained?

Doesn't replace the regular 'shell' script feature of the plugin though.

[Daniel Heid]

And I volunteer in adopting the plugin to maintain it. I already solved three issues.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/230F1A08-E403-46F4-A88C-AA960C361B7C%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

[Daniel Heid]

Because there are users that simply want to execute shell scripts.

[Daniel Heid]

Hello again,

Gregory didn't answer yet. It seems like he doesn't maintain the plugin since 2015.

Since I'm using the plugin a lot (with shell scripts), I don't want it to be lost. Is it possible that someone at least merges my pull request? I'm still interested in maintaining the plugin.

Thank you very much in advance!

Kind regards

Daniel

Am 30.10.2017 4:15 nachm. schrieb Daniel Heid <dh...@posteo.de>:

Because there are users that simply want to execute shell scripts.

--

You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0d7c4b25-8cb7-4a92-b7d4-3fdc35a6f119%40email.android.com.

[Patrick Pierson]

I'd merge if I could. As one of the users that just wants to execute a shell script at the end of my build I don't want to have to write groovy to do so.

Jenkins team approved him so I can get builds working again please. 

[Daniel Beck]

> On 30. Oct 2017, at 19:32, Daniel Heid <dh...@posteo.de> wrote:
>
> And I volunteer in adopting the plugin to maintain it. I already solved three issues.

Great! I responded in https://github.com/jenkinsci/postbuildscript-plugin/pull/15 what the next steps are. Sorry for the delay.

[Daniel Heid]

Many thanks! I added a Jenkinsfile amd released new version 0.18 that includes the security fix and solves another bug. Also I did a pull request on the Job DSL plugin to remove the deprecations.

It would be very kind if you would merge https://github.com/jenkins-infra/backend-update-center2/pull/169 to remove the blacklisting. Thanks again!