Securing build scripts when building pull requests
15 views
Skip to first unread message
Christopher Weaver
May 16, 2019, 4:24:02 PM5/16/19
to Jenkins Users
Hi,
For a project I work on, we have set up Jenkins, using the GitHub Branch Source Plugin, to do automatic builds for pushes to our repository, including test builds for pull requests. This is all working, but I am concerned about the security implications for the pull requests. It is my understanding that Jenkins will protect the Jenkinsfile itself against changes by non-privileged users, but as far as I can tell there is no such protection of other files critical to the build process, for example the CMakeLists we use to define most of our build with cmake. Is this not actually the problem I think it is, is there some way to instruct Jenkins to ignore changes to additional build files, or is there some other practical method for aborting builds when these files have changed? I tried to implement the last of these with logic built into the Jenkinsfile, but I got out of my depth trying to coax the necessary information out of git.
Chris Weaver
Simon Richter
May 17, 2019, 4:03:59 AM5/17/19
to jenkins...@googlegroups.com
Hi,
On Thu, May 16, 2019 at 12:11:54PM -0700, Christopher Weaver wrote:
> For a project I work on, we have set up Jenkins, using the GitHub Branch
> Source Plugin, to do automatic builds for pushes to our repository,
> including test builds for pull requests. This is all working, but I am
> concerned about the security implications for the pull requests.
Yes, that is a common problem. Most people either only test pull requests
from trusted people, or configure Jenkins to test inside a container with
no network access and strict resource limits that is discarded after the
build.
Simon
On Thu, May 16, 2019 at 12:11:54PM -0700, Christopher Weaver wrote:
> For a project I work on, we have set up Jenkins, using the GitHub Branch
> Source Plugin, to do automatic builds for pushes to our repository,
> including test builds for pull requests. This is all working, but I am
> concerned about the security implications for the pull requests.
from trusted people, or configure Jenkins to test inside a container with
no network access and strict resource limits that is discarded after the
build.
Simon
Mark Waite
May 17, 2019, 7:43:06 AM5/17/19
to Jenkins Users
The pipeline library on ci.jenkins.io is a good example of a library written to safely handle pull requests which might be malicious. Refer to isTrusted and how it is used to safeguard operations.
I believe ci.jenkins.io jobs are also configured to not allow Jenkinsfile to be used from the target branch even for pull requests. That avoids the risk of a pull request submitted which executes a malicious Jenkinsfile.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/20190517080348.GA17598%40psi5.com.
For more options, visit https://groups.google.com/d/optout.
Thanks!
Mark Waite
Reply all
Reply to author
Forward
0 new messages