[JIRA] (JENKINS-58618) Only ignores PRs from untrusted sources "once"

[brian.murrell@intel.com (JIRA)]

Brian J Murrell created an issue

Jenkins / JENKINS-58618 Only ignores PRs from untrusted sources "once" Issue Type: Bug Assignee: Unassigned Attachments: image-2019-07-23-10-30-22-210.png Components: basic-branch-build-strategies-plugin Created: 2019-07-23 14:39 Environment: Jenkins ver. 2.176.2 Priority: Critical Reporter: Brian J Murrell Note: setting to Critical as this exposes serious security issues. The Ignore change requests flagged as originating from an untrusted source build strategy: seems to only work on the first commit to a PR from an untrusted source. If a somebody with the appropriate permissions executes a Build Now on that PR, presumably because they have done a code inspection looking for nefarious use of the build and test resources, any subsequent pushes to that PR, even from untrusted sources will get automatically built, without the need for somebody to again go execute a Build Now. This of course means that such a PR could introduce nefarious use, without review, after having it's first commit in the PR approved and built. Every new commit to a PR from an untrusted source needs to be prevented from building until somebody approves it with an explicit Build Now click.  Otherwise this whole option becomes much less useful. Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[bitwiseman@gmail.com (JIRA)]

Liam Newman updated an issue

Jenkins / JENKINS-58618 Only ignores PRs from untrusted sources "once"

Change By: Liam Newman Priority: Critical Major

Add Comment

[bitwiseman@gmail.com (JIRA)]

Liam Newman commented on JENKINS-58618

Re: Only ignores PRs from untrusted sources "once" This is definitely looks like an issue, but I'm not sure of the source. We'll need to do some debugging to figure it out. Have you tried setting Trusted to "Nobody" as suggested here: https://issues.jenkins-ci.org/browse/JENKINS-53752?focusedCommentId=373461&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-373461 From what I see that results in the correct behavior, so for truly untrusted cases the filter seems to work:   Checking pull request#10 (not from a trusted source) ‘Jenkinsfile’ found Met criteria Changes detected: PR-10-head (badd9a4f697a55c573b4d4fbabb61870e8efa4ea → e9e963e7ebfd5a54874c8962a9108930edcbb421) Loading trusted files from base branch master at bc1bf622bedeb9a04debfa2236620eb0edac6dc6 rather than e9e963e7ebfd5a54874c8962a9108930edcbb421 No automatic build triggered for PR-10-head (not from a trusted source)   You could then specific users to still build for.   To be clear, there is a bug here and it should be fixed, but it will take some work to isolate.

Add Comment

[brian.murrell@intel.com (JIRA)]

Brian J Murrell commented on JENKINS-58618

Re: Only ignores PRs from untrusted sources "once"

Is it really appropriate to downgrade a security-impacting issue like this to Major?

Have you tried setting Trusted to "Nobody" as suggested here:

That's not the behaviour we are looking for though. We want members of the organisation to be able to push PRs from their own GitHub accounts (i.e. as opposed to using branches within the organisation) and have Jenkins build those.

Add Comment

[bitwiseman@gmail.com (JIRA)]

Liam Newman updated an issue

Jenkins / JENKINS-58618

Only ignores PRs from untrusted sources "once"

Change By: Liam Newman Priority: Major Critical

Add Comment

[bitwiseman@gmail.com (JIRA)]

Liam Newman commented on JENKINS-58618

Re: Only ignores PRs from untrusted sources "once" Fair enough, I've returned the priority to Critical. I'm not the owner/maintainer of this plugin, just effected by it.  For security issues like this, you should file an issue under the Jenkins Jira "SECURITY" project. That will likely get more attention that a general functionality issue. See https://jenkins.io/security/ for details.

Add Comment