No plugin adopted this so far according to the update center, so I feel compelled to write this message.
Email-ext, EnvInject, Groovy, Build Flow, Groovy Postbuild, PostBuildScript, ScriptTrigger, various 'dynamic parameter' plugins, ... there are several plugins supporting scripting, and all are doing it in an unsafe manner. There are thousands or even tens of thousands of installs of some of these plugins, and I bet only _very_ few Jenkins admins using these plugins realize what they allow their non-admin users to do. Admins currently need to choose between having none of the features offered by these (otherwise generally very useful or even essential) plugins, or _completely_ trusting _all_ users able to configure _any_ item. It's absolutely seamless for users if you don't have security enabled, and it seems to actually be safe if you do. It's also dead simple to use as developer. Here's a plugin I recently wrote that brings Groovy scripting to list view columns in a safe manner: https://github.com/daniel-beck/jenkins-script-column-plugin Of course, this doesn't do migration from older configs, but an examples for that exists as well. If you're an author of a plugin with Groovy-scripting functionality, please consider depending on Script Security for that. Daniel On 12.03.2014, at 23:45, Jesse Glick <[email protected]> wrote: > I am working on a new plugin > > https://github.com/jenkinsci/script-security-plugin > > which allows other plugins with scripts (usually Groovy) to run those > in a secured fashion. The wiki > > https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin > > has details. People who are working on Groovy-based plugins (e.g. > job-dsl) should consider trying to integrate with it. Comments on the > API are welcomed. > > (I realized too late that I should have started with version 0.1, not > 1.0-beta-1, since API changes may still be needed.) > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
