> > They sound unrelated to security and are best addressed, if required, by > plugin developers on their own initiative. >
Let's park this question for now. I am going to play with the current PR state, and then I will provide a response around Jan 02. My IMHO is that it would be preferable to separate Remoting and XStream from very beginning, so that the plugin maintainers will think twice when they try to save custom classes on the disk or to send them via Remoting. But I agree it may be over-engineering. All contributors are welcome to comment. BR, Oleg понедельник, 18 декабря 2017 г., 13:41:20 UTC+1 пользователь Oleg Nenashev написал: > > Hi all, > > I am starting this thread in order to collect extra feedback about > JEP-200, which proposes switching Remoting/XStream implementations from a > blacklist to a whitelist. The intention is to significantly reduce risks of > class deserialization attacks, which was hitting Jenkins project seriously > over last 2 years (e.g. SECUIRTY-429 this April > <https://jenkins.io/security/advisory/2017-04-26/>). This JEP is accepted > as a draft, and the current state is published here > <https://github.com/oleg-nenashev/jep/tree/master/jep/200>. > > I am assigned as a BDFL Delegate who makes a decision about > accepting/rejecting this Jenkins Enhancement Proposal (see JEP-1 > <https://github.com/jenkinsci/jep/tree/master/jep/1> for more info about > the process). Over the next week I will be reviewing this JEP and providing > feedback in this thread and in pull requests. > > I also call other interested contributors to comment regarding this JEP. > It is important, because the proposal implies a *high risk *of > regressions in plugins and other Jenkins components. The JEP sponsor made a > significant amount of testing, but there may be some gaps. Any feedback and > extra testing of the reference implementation will be appreciated. > > There are several ways to provide the feedback: > > - Comment in this thread > - Create a pull request with document edits > - Ping me (oleg-nenashev) and Jesse Glick (jglick) in IRC > > My current plan is to finalize the Draft reviews/edits by December 30 > though it depends on the sponsor's availability during the Christmas break > if there is a discussion needed. If you have any comments or interest to > review the JEP deeper, please respond by this date. > > > Best regards, > Oleg Nenashev > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c95ffdcd-3414-4fff-b789-1dff0221066c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
