[workflow-plugin] Dir step : funny way of removing your whole master .jenkins directory

[Baptiste Mathus]

Hi,

Recently, someone in our shop had his first tries with the workflow plugin.

Some context: he wanted as a first step to ensure a specific directory in the workspace would be removed. Here's an excerpt (warning: don't run it, read below):

node('rhel'){
    dir('workingdirectory'){
        File currentWorkingDirectory = new File('.')
        currentWorkingDirectory.deleteDir()
    }
    ...
}

The thing is: it seems like the standard steps will know about this (doing a sh 'pwd' would indeed display the /somepath/.jenkins/jobs/workspace.../therightws/workingdirectory).

BUT, using new File('.') will NOT put you inside that subdirectory of the WS. Guess what, it will point to $HOME :-). 

So the code above will just basically totally wipe out your Jenkins master data... The good news is that we've now thoroughly tested our backup and it's working perfectly :-).

So, I'm not sure there's something doable, but at least that would be desirable because of that dangerosity.

WDYT?

At least, I hope this mail will warn people to have caution in that area.

Cheers

--

Baptiste

[Jesse Glick]

All I can say is that if you set up security on Jenkins, then it would be impossible for a non-administrator to run the above script, because it would have to be sandboxed and the call to the File constructor would have been rejected, perhaps prompting that person to ask for help.