Impact of yesterday's core security update on plugins

[Daniel Beck]

Hi everyone,

Yesterday's core security update included the security fix SECURITY-595[1], 
which limits what methods can be invoked by Stapler. For example, any public 
method whose name starts with "get", and that has a `String`, `int`, `long`, or 
no argument could be invoked by accessing corresponding URLs. As these naming 
conventions closely match common code patterns in Java, accessing such URLs 
could invoke methods never intended to be invoked this way, and we've 
identified quite a few problems resulting from this behavior. See the advisory 
for more details.

Restrictions are now applied on which getters, field access, and web methods 
("do" actions) can be invoked based on their signatures. For example, access to 
static getters and fields is now prohibited entirely, and web methods need some 
indication (like annotations) that they're supposed to be invoked, `public void 
doWhatever()` will not work anymore.

While we included a whitelist for known, otherwise broken plugin functionality 
with the security update, there's no way for us to find all legitimately 
invoked getter methods or fields to include them. Additionally, any new 
development will not be covered: Something that works in older releases (such 
as the core version your plugins run tests or hpi:run with) might no longer 
work in 2.154, 2.1238.4, or newer.

I updated the developer documentation with explanations of these changes and 
how best to avoid any problems:

* https://jenkins.io/doc/developer/handling-requests/stapler-accessible-type/
* https://jenkins.io/doc/developer/handling-requests/actions/
* https://jenkins.io/doc/developer/security/read-access/

If you have questions about this change, or how best to adapt your plugin, 
please ask in this thread, in #jenkins on IRC, or in jenkinsci/jenkins on 
Gitter, and I'd be happy to help.


1: https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/F103300C-9686-4208-8B10-9A94F446969F%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.