The pipeline library on ci.jenkins.io is a good example of a library written to safely handle pull requests which might be malicious. Refer to isTrusted <https://github.com/jenkins-infra/pipeline-library/blob/master/README.adoc#infraistrusted> and how it is used to safeguard operations.
I believe ci.jenkins.io jobs are also configured to not allow Jenkinsfile to be used from the target branch even for pull requests. That avoids the risk of a pull request submitted which executes a malicious Jenkinsfile. On Fri, May 17, 2019 at 1:03 AM Simon Richter <[email protected]> wrote: > Hi, > > On Thu, May 16, 2019 at 12:11:54PM -0700, Christopher Weaver wrote: > > > For a project I work on, we have set up Jenkins, using the GitHub Branch > > Source Plugin, to do automatic builds for pushes to our repository, > > including test builds for pull requests. This is all working, but I am > > concerned about the security implications for the pull requests. > > Yes, that is a common problem. Most people either only test pull requests > from trusted people, or configure Jenkins to test inside a container with > no network access and strict resource limits that is discarded after the > build. > > Simon > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/20190517080348.GA17598%40psi5.com > . > For more options, visit https://groups.google.com/d/optout. > -- Thanks! Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtHAT5tbH9%3Df%2BZEYJ%3DsO-6RisYM0spTQH9PKgu31WMCpmQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
