Re: sec-170: What need plugins to do to declare vars they provide?

[Kanstantsin Shautsou]

> On May 13, 2016, at 01:33, Jesse Glick  wrote:
> 
> Just set variables according to a `Cause` or similar.
> 
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "Jenkins Developers" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/jenkinsci-dev/YNLEDaGUsgg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3jBSXM%2BEN7QQnKUjbPxFcjFm%2BMQ%3DQiiabok9KJzh9a9A%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
Where? EnvironmentContributor? It participates in spaghetti routines of 
variable resolvers that full of infinite bugs for different types of jobs. It 
wrong architecture for providing things that must be in first place (triggered 
values and cause) instead of doing additional resolution calls and duplicating 
everything else.
Where is trusted field in StringParameter or any other objects then?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/A3E547EE-AEBC-4A15-BDEA-4142E001914D%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: sec-170: What need plugins to do to declare vars they provide?

[Jesse Glick]

Just set variables according to a `Cause` or similar.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3jBSXM%2BEN7QQnKUjbPxFcjFm%2BMQ%3DQiiabok9KJzh9a9A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: sec-170: What need plugins to do to declare vars they provide?

[Kanstantsin Shautsou]

EnvironmentContributor is the worst thing for trigger plugins imho. Trigger 
plugins injecting known and safe named variables, they should never be 
filtered out from job variables. 
Hiding vars for already setuped envs sounds like a disaster.

On Thursday, May 12, 2016 at 5:54:26 PM UTC+3, Daniel Beck wrote:
>
>
> > On 12.05.2016, at 16:47, Robert Sandell  > wrote: 
> > 
> > But at the same time I need to get a fix out for my users. 
>
> I fear that early implementations to handle this new restriction will be 
> heavily copy/pasted. So even if you intend to switch to a different 
> approach as soon as you consider it viable, other plugins may not, 
> perpetuating this hackish approach. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/12838f54-8c52-4bc8-95c2-916c9f011bd3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: sec-170: What need plugins to do to declare vars they provide?

[Daniel Beck]

> On 12.05.2016, at 16:47, Robert Sandell  wrote:
> 
> But at the same time I need to get a fix out for my users. 

I fear that early implementations to handle this new restriction will be 
heavily copy/pasted. So even if you intend to switch to a different approach as 
soon as you consider it viable, other plugins may not, perpetuating this 
hackish approach.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/C362B500-383D-4B25-89EE-40DA7B7C5629%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Re: sec-170: What need plugins to do to declare vars they provide?

[Robert Sandell]

On Thu, May 12, 2016 at 3:52 PM, Daniel Beck  wrote:

>
> > On 12.05.2016, at 15:08, Robert Sandell  wrote:
> >
> > System.setProperty("hudson.model.ParametersAction.safeParameters",
> existing + "MY,OWN")
> > seems like a valid option without breaking anything to me?
>
> May just be me, but this looks like a clear abuse of the escape hatch user
> option.
>
> Note that we don't guarantee that system properties stick around forever,
> so a solution using supported APIs would be a better idea.
>
> If the extra parameters warning message is what's motivating this
> approach, maybe we should look into changing that instead?
>

Yes I think we should, I can only blame myself for not being around to
catch it before it was merged :)
But at the same time I need to get a fix out for my users.


> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/2B805E11-6310-432E-B9F0-DC36D0DED3CF%40beckweb.net
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Robert Sandell
*Software Engineer*
*CloudBees Inc.*

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS29GbgMcfN-doZu8%2B%3DVPfQtW1DOdf4j2iSPs7O0dKEXbA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: sec-170: What need plugins to do to declare vars they provide?

[Daniel Beck]

> On 12.05.2016, at 15:08, Robert Sandell  wrote:
> 
> System.setProperty("hudson.model.ParametersAction.safeParameters", existing + 
> "MY,OWN") 
> seems like a valid option without breaking anything to me?

May just be me, but this looks like a clear abuse of the escape hatch user 
option.

Note that we don't guarantee that system properties stick around forever, so a 
solution using supported APIs would be a better idea.

If the extra parameters warning message is what's motivating this approach, 
maybe we should look into changing that instead?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/2B805E11-6310-432E-B9F0-DC36D0DED3CF%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Re: sec-170: What need plugins to do to declare vars they provide?

[Robert Sandell]

On Thu, May 12, 2016 at 2:33 PM, Daniel Beck  wrote:

>
> > On 12.05.2016, at 11:03, Robert Sandell  wrote:
> >
> > so I'm going to try to hack my way to adding to the safeParameters field
> instead
>
> Are you trying to force me into removing it?
>
Really?
System.setProperty("hudson.model.ParametersAction.safeParameters", existing
+ "MY,OWN")
seems like a valid option without breaking anything to me?

>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/D73CB19D-FB7B-48C5-A7C6-EDE3E636B03F%40beckweb.net
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Robert Sandell
*Software Engineer*
*CloudBees Inc.*

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS1jnsrEXH7J2t%2BAyMRnf87fb%3DyW6MCdkZ4OQip1WrkeMA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: sec-170: What need plugins to do to declare vars they provide?

[Daniel Beck]

> On 12.05.2016, at 10:48, 'Björn Pedersen' via Jenkins Developers 
>  wrote:
> 
> Since sec-170 all unknown variables  will get dropped. What needs to be done 
> in a plugin to correctly declare the vars they provide?

My blog post mentions a few options towards the end:
https://jenkins.io/blog/2016/05/11/security-update/

Personally I'd prefer plugin developers use the second option -- often, what's 
passed as parameters aren't actually parameters per se, it probably just was 
the most straightforward way to implement it.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/C68397EA-E59C-452C-B00D-3E299F0EC112%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Re: sec-170: What need plugins to do to declare vars they provide?

[Daniel Beck]

> On 12.05.2016, at 11:03, Robert Sandell  wrote:
> 
> so I'm going to try to hack my way to adding to the safeParameters field 
> instead

Are you trying to force me into removing it?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/D73CB19D-FB7B-48C5-A7C6-EDE3E636B03F%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Re: sec-170: What need plugins to do to declare vars they provide?

[Robert Sandell]

One alternative is to implement and EnvironmentContributor, one example
here https://github.com/jenkinsci/ghprb-plugin/pull/336

If I'm reading the code correctly on ParametersAction the above alternative
would still print nasty warnings in the Jenkins log though, so I'm going to
try to hack my way to adding to the safeParameters field instead.

/B

On Thu, May 12, 2016 at 10:48 AM, 'Björn Pedersen' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> Hi,
>
> Since sec-170 all unknown variables  will get dropped. What needs to be
> done in a plugin to correctly declare the vars they provide?
>
> Björn
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/6ef47e98-d70c-4a9d-be82-2b91ad0ce009%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Robert Sandell
*Software Engineer*
*CloudBees Inc.*

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS0fg3ha63dgT19uT4HZMPiNMcyxiGCCbiSQMd7DWtnHbQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.