[JIRA] (JENKINS-53752) Block PRs from forks from untrusted users

12 views
Skip to first unread message

samsch@microsoft.com (JIRA)

unread,
Sep 24, 2018, 1:16:01 PM9/24/18
to jenkinsc...@googlegroups.com
Sam Schwarz created an issue
 
Jenkins / New Feature JENKINS-53752
Block PRs from forks from untrusted users
Issue Type: New Feature New Feature
Assignee: Unassigned
Components: github-branch-source-plugin
Created: 2018-09-24 17:15
Labels: security configuration
Priority: Major Major
Reporter: Sam Schwarz

The plugin currently has no way to block untrusted users from making a PR from a fork and having this PR built by Jenkins. The GitHub Pull Request Builder does have this feature which is very useful for open source projects to protect the build system from malicious changes. The documentation on the GitHub Pull Request Builder wiki page says to move from the GHPRB plugin to the GitHub Branch source plugin which causes the user to lose this extremely useful functionality.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

mark.earl.waite@gmail.com (JIRA)

unread,
Sep 24, 2018, 3:27:02 PM9/24/18
to jenkinsc...@googlegroups.com
Mark Waite updated an issue
Change By: Mark Waite
Attachment: github-branch-source-discover-pull-requests.PNG

mark.earl.waite@gmail.com (JIRA)

unread,
Sep 24, 2018, 3:28:02 PM9/24/18
to jenkinsc...@googlegroups.com
Mark Waite commented on New Feature JENKINS-53752
 
Re: Block PRs from forks from untrusted users

Isn't the option to "Discover pull requests from forks" what you are seeking, with the setting "From Users with Admin or Write permission"?

directhex@apebox.org (JIRA)

unread,
Sep 24, 2018, 3:33:03 PM9/24/18
to jenkinsc...@googlegroups.com

No. That's the point. That setting determines whether pull requests should use Jenkinsfile from origin/ or from the fork - it has no functionality to block pull requests from users under any circumstance.

andrew.bayer@gmail.com (JIRA)

unread,
Sep 25, 2018, 9:31:03 AM9/25/18
to jenkinsc...@googlegroups.com

Yeah, this is a missing feature - I'm trying to figure out if it's missing by design for some reason.

andrew.bayer@gmail.com (JIRA)

unread,
Sep 25, 2018, 10:44:02 AM9/25/18
to jenkinsc...@googlegroups.com
Andrew Bayer assigned an issue to Andrew Bayer
 
Change By: Andrew Bayer
Assignee: Andrew Bayer

andrew.bayer@gmail.com (JIRA)

unread,
Sep 25, 2018, 10:45:02 AM9/25/18
to jenkinsc...@googlegroups.com
Andrew Bayer started work on New Feature JENKINS-53752
 
Change By: Andrew Bayer
Status: Open In Progress

andrew.bayer@gmail.com (JIRA)

unread,
Sep 25, 2018, 10:45:03 AM9/25/18
to jenkinsc...@googlegroups.com
Change By: Andrew Bayer
Status: In Progress Review

andrew.bayer@gmail.com (JIRA)

unread,
Sep 25, 2018, 10:45:03 AM9/25/18
to jenkinsc...@googlegroups.com

vivek.pandey@gmail.com (JIRA)

unread,
Jan 8, 2019, 11:05:02 AM1/8/19
to jenkinsc...@googlegroups.com
Vivek Pandey assigned an issue to rsandell
 
Change By: Vivek Pandey
Assignee: Andrew Bayer rsandell

brian.murrell@intel.com (JIRA)

unread,
Jan 29, 2019, 1:24:01 AM1/29/19
to jenkinsc...@googlegroups.com
Brian J Murrell commented on New Feature JENKINS-53752
 
Re: Block PRs from forks from untrusted users

Any word on the status of this?

I would add one more feature to allow those with write or perhaps just admin privileges to approve "untrusted" PRs.

brian.murrell@intel.com (JIRA)

unread,
Feb 20, 2019, 8:03:02 AM2/20/19
to jenkinsc...@googlegroups.com

Will any further work be done on this or should this issue be closed?

bitwiseman@gmail.com (JIRA)

unread,
Jun 27, 2019, 1:37:04 PM6/27/19
to jenkinsc...@googlegroups.com
Liam Newman assigned an issue to Liam Newman
 
Change By: Liam Newman
Assignee: rsandell Liam Newman

brian.murrell@intel.com (JIRA)

unread,
Jul 23, 2019, 10:29:03 AM7/23/19
to jenkinsc...@googlegroups.com
Brian J Murrell updated an issue
Change By: Brian J Murrell
Attachment: image-2019-07-23-10-28-00-893.png

brian.murrell@intel.com (JIRA)

unread,
Jul 23, 2019, 10:29:05 AM7/23/19
to jenkinsc...@googlegroups.com
 
Re: Block PRs from forks from untrusted users

Isn't this option:

supposed to achieve what is being asked for in this ticket?

oxygenxo@gmail.com (JIRA)

unread,
Aug 15, 2019, 12:42:03 PM8/15/19
to jenkinsc...@googlegroups.com

Brian J Murrell, no, it isn't because it blocks only Jenkinsfile changes (it will be taken from PR's target branch, not source) and still executes it.  Therefore any user who can open a PR in your repository can easily modify build scripts/CMake files and gain access to your build systems

brian.murrell@intel.com (JIRA)

unread,
Aug 15, 2019, 1:04:02 PM8/15/19
to jenkinsc...@googlegroups.com

Andrey Babushkin That's not at all how the item description or help text reads.  It very specifically says it will only build a change request / pull request ...

oxygenxo@gmail.com (JIRA)

unread,
Aug 15, 2019, 1:32:02 PM8/15/19
to jenkinsc...@googlegroups.com

I'm sorry Brian J Murrell, It seems I've just screwed the config of my GitHub Organization folder. I've set "Build strategies" like on the picture you've provided and "Trust" to "Nobody". Jenkins creates jobs for PRs opened by untrusted persons, but doesn't run them. That's exactly what I've needed, thank you

bitwiseman@gmail.com (JIRA)

unread,
Aug 23, 2019, 6:20:04 PM8/23/19
to jenkinsc...@googlegroups.com
Liam Newman updated New Feature JENKINS-53752
 

This is fixed and the feature provided by a plugin
Change By: Liam Newman
Status: In Review Resolved
Resolution: Fixed

brian.murrell@intel.com (JIRA)

unread,
Aug 23, 2019, 9:28:03 PM8/23/19
to jenkinsc...@googlegroups.com
Brian J Murrell commented on New Feature JENKINS-53752
 
Re: Block PRs from forks from untrusted users

Liam Newman Could you provide some more details?  Which plugin, at least.

brian.murrell@intel.com (JIRA)

unread,
Aug 23, 2019, 10:14:02 PM8/23/19
to jenkinsc...@googlegroups.com

Liam Newman Perhaps you are referring to [#188| https://github.com/jenkinsci/github-branch-source-plugin/pull/188]. If so I would direct you to the last comment there about JENKINS-58618 and JENKINS-58683, neither of which have even been triaged.
Reply all
Reply to author
Forward
0 new messages