Impact of yesterday's core security update on plugins
22 views
Skip to first unread message
Daniel Beck
Dec 6, 2018, 2:11:01 PM12/6/18
to Jenkins Developers
Hi everyone,
Yesterday's core security update included the security fix SECURITY-595[1], which limits what methods can be invoked by Stapler. For example, any public method whose name starts with "get", and that has a `String`, `int`, `long`, or no argument could be invoked by accessing corresponding URLs. As these naming conventions closely match common code patterns in Java, accessing such URLs could invoke methods never intended to be invoked this way, and we've identified quite a few problems resulting from this behavior. See the advisory for more details.
Restrictions are now applied on which getters, field access, and web methods ("do" actions) can be invoked based on their signatures. For example, access to static getters and fields is now prohibited entirely, and web methods need some indication (like annotations) that they're supposed to be invoked, `public void doWhatever()` will not work anymore.
While we included a whitelist for known, otherwise broken plugin functionality with the security update, there's no way for us to find all legitimately invoked getter methods or fields to include them. Additionally, any new development will not be covered: Something that works in older releases (such as the core version your plugins run tests or hpi:run with) might no longer work in 2.154, 2.1238.4, or newer.
I updated the developer documentation with explanations of these changes and how best to avoid any problems:
* https://jenkins.io/doc/developer/handling-requests/stapler-accessible-type/
* https://jenkins.io/doc/developer/handling-requests/actions/
* https://jenkins.io/doc/developer/security/read-access/
If you have questions about this change, or how best to adapt your plugin, please ask in this thread, in #jenkins on IRC, or in jenkinsci/jenkins on Gitter, and I'd be happy to help.
1: https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595
Yesterday's core security update included the security fix SECURITY-595[1], which limits what methods can be invoked by Stapler. For example, any public method whose name starts with "get", and that has a `String`, `int`, `long`, or no argument could be invoked by accessing corresponding URLs. As these naming conventions closely match common code patterns in Java, accessing such URLs could invoke methods never intended to be invoked this way, and we've identified quite a few problems resulting from this behavior. See the advisory for more details.
Restrictions are now applied on which getters, field access, and web methods ("do" actions) can be invoked based on their signatures. For example, access to static getters and fields is now prohibited entirely, and web methods need some indication (like annotations) that they're supposed to be invoked, `public void doWhatever()` will not work anymore.
While we included a whitelist for known, otherwise broken plugin functionality with the security update, there's no way for us to find all legitimately invoked getter methods or fields to include them. Additionally, any new development will not be covered: Something that works in older releases (such as the core version your plugins run tests or hpi:run with) might no longer work in 2.154, 2.1238.4, or newer.
I updated the developer documentation with explanations of these changes and how best to avoid any problems:
* https://jenkins.io/doc/developer/handling-requests/stapler-accessible-type/
* https://jenkins.io/doc/developer/handling-requests/actions/
* https://jenkins.io/doc/developer/security/read-access/
If you have questions about this change, or how best to adapt your plugin, please ask in this thread, in #jenkins on IRC, or in jenkinsci/jenkins on Gitter, and I'd be happy to help.
1: https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595
Reply all
Reply to author
Forward
0 new messages