ANN: Potentially BREAKING changes: JEP-200 is about to land in the 2.102 weekly
Oleg Nenashev
Dear plugin developers and maintainers,
Just in case you have not been following the JEP-200 threads, this change is going to land in the next weekly.
What? JEP-200 switches XStream/Remoting from Blacklist to Whitelist
Why? Security concerns about class deserialization. More info is in JEP-200 / Motivation
Why is it important? The change implies a high risk of regressions in plugins by design
Any particular cases? If you use classes from jar-packaged libraries in Remoting/XStream serialization, you likely have a problem. Classes in plugins are fine
Over the last weeks we have spent much timetesting the change with help of Acceptance Test Harness and Plugin Compat Tester. You can find summaries for the recent tests in this Google Doc. We have discovered and fixed many issues, but obviously we cannot verify all plugins.
Nevertheless, we (as a Security Team) want to release this change in weeklies in order to get it well tested before the next LTS cutoff. We will make sure that all communications is sent to users. Known issues will be tracked on this Wiki page. Jenkins admins will also get explicit error messages, which will point them to this page and to the blogpost with issue reporting guidelines (Pending PR). And of course, we will be tracking issue trackers in order to quickly resolve reported issues or to provide workarounds.
Patterns to be aware of...
Serialization over XStream:
java.lang.UnsupportedOperationException: Refusing to marshal ${CLASS} for security reasons; see https://jenkins.io/redirect/class-filter/
Serialization over Remoting:
WARNING jenkins.security.ClassFilterImpl#lambda$isBlacklisted$1: ${CLASS} in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/
If you are interested in testing your plugin OR in testing the change on your test instances, please see the guidelines below:
How to test your plugin(s)?
Manual: Download the Jenkins WAR from here
Running functional tests:
Checkout sources from https://github.com/jenkinsci/jenkins/pull/3120
Install local snapshot of the core ("mvn clean install -DskipTests -Dfindbugs.skip=true" takes several minutes)
Update Jenkins core requirement in your pom.xml or Gradle definition
If you use Plugin POM 2.x, specify the "jenkins.version=2.102-SNAPSHOT” and then set the "java.level" property to "8"
For Gradle and old plugin POMs more updates may be required. Your mileage may vary
Run tests
Please do not hesitate to respond to this thread, we will process the questions with the highest priority.
Best regards,
Oleg Nenashev
Jesse Glick
> Serialization over XStream:
>
> java.lang.UnsupportedOperationException: Refusing to marshal ${CLASS} for
> security reasons; see https://jenkins.io/redirect/class-filter/
>
> Serialization over Remoting:
>
> WARNING jenkins.security.ClassFilterImpl#lambda$isBlacklisted$1: ${CLASS}
> in JRE might be dangerous, so rejecting; see
> https://jenkins.io/redirect/class-filter/
(whether triggered by XStream or Remoting), even if the exception is
caught and swallowed. The former message is an example of the detail
message from an exception thrown out of XStream. The corresponding
exception thrown out of Remoting is currently vaguer.
This has been merged, so for the period until the 2.102 weekly release
is cut, you would instead check out and merge from master.
Mark Waite
On Thursday, January 11, 2018 at 11:44:09 AM UTC-7, Oleg Nenashev wrote:
Nevertheless, we (as a Security Team) want to release this change in weeklies in order to get it well tested before the next LTS cutoff. We will make sure that all communications is sent to users. Known issues will be tracked on this Wiki page. Jenkins admins will also get explicit error messages, which will point them to this page and to the blogpost with issue reporting guidelines (Pending PR). And of course, we will be tracking issue trackers in order to quickly resolve reported issues or to provide workarounds.
Patterns to be aware of...
Serialization over XStream:
java.lang.UnsupportedOperationException: Refusing to marshal ${CLASS} for security reasons; see https://jenkins.io/redirect/class-filter/
Serialization over Remoting:
WARNING jenkins.security.ClassFilterImpl#lambda$isBlacklisted$1: ${CLASS} in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/
| org.jenkinsci.plugins.workflow.job.WorkflowRun | Bugs - Individual Checks » JENKINS-43468-continuous-builds-if-pipeline-polling-enabled #1230 | ConversionException: Refusing to unmarshal textBuilder for security reasons; see https://jenkins.io/redirect/class-filter/ ---- Debugging information ---- class : java.lang.StringBuilder required-type : java.lang.StringBuilder converter-type : hudson.util.XStream2$BlacklistedTypesConverter path : /flow-build/actions/org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildSummaryAction/textBuilder line number : 120 ------------------------------- |
Oleg Nenashev
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/EALjDtS4riU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c273c8cd-958f-4f85-beca-0ed592ce7cdd%40googlegroups.com.
Jesse Glick
Mark Waite
More details may be in the system log.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1v9wdS%2Bnj6oCg74kcuN14XgENf%2BL6C81o%2B5YB%3DyaVQ7A%40mail.gmail.com.
Oleg Nenashev
On Sat, Jan 13, 2018 at 10:46 AM Jesse Glick <jgl...@cloudbees.com> wrote:
More details may be in the system log.--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1v9wdS%2Bnj6oCg74kcuN14XgENf%2BL6C81o%2B5YB%3DyaVQ7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/EALjDtS4riU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEL_U4zp70hrLHbnAVm5VCSAd1%3DcB%2BeEEbQV5Awo_s0%3Dw%40mail.gmail.com.