[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Fernando Nasser commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition Third that. Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.162496.1430411624000.5778.1581371162198%40Atlassian.JIRA.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Christoph Henrici commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition Second matt matthews Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.162496.1430411624000.7089.1569662521734%40Atlassian.JIRA.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
matt matthews edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Suggesting to just use shared/trusted libraries is not enough IMHO, we need a switch to turn this stuff off. as an example, today I have a basic Jenkinsfile that's throwing errors with [].tail(): Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tail java.lang.Object[]. Job console offers a link to go to the ScriptApproval URL to approve, but then it does not remember the approval.. I return to the job generating the error and then it happens again in exactly the same way, telling me to approve. There's nothing further I can even do here to debug that problem (which is just another distraction from the work I really want to do), so I get forced into rewrite `[].tail()` as different-but-equivalent groovy, something with `[].findAll{}`, which just works. So why is Jenkins not remembering the approvals? Why is `findAll` safer than `tail`? Why does this plugin exist in the ecosystem if it doesn't work and can't work? [https://wiki.jenkins.io/display/JENKINS/Permissive+Script+Security+Plugin] Like other users, our Jenkins is behind a VPN, and we have multiple Jenkins instances so that we don't have to deal with all the complexity of highly granular user/job/credential permissioning. Since all people who can login to a given instance are admins on that instance.. our experience is that none of script-security stuff adds security, it just degrades our stability. Please, can we just get a config option to just turn this off everywhere?
Add Comment
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
matt matthews edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Suggestign Suggesting to just use shared/trusted libraries is not enough IMHO, we need a switch to turn this stuff off. as an example, today I have a basic Jenkinsfile that's throwing errors with [].tail():Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tail java.lang.Object[]. Job console offers a link to go to the ScriptApproval URL to approve, but then it does not remember the approval.. I return to the job generating the error and then it happens again in exactly the same way, telling me to approve. There's nothing further I can even do here to debug that problem (which is just another distraction from the work I really want to do), so I get forced into rewrite `[].tail()` as different-but-equivalent groovy, something with `[].findAll{}`, which just works. So why is Jenkins not remembering the approvals? Why is `findAll` safer than `tail`? Why does this plugin exist in the ecosystem if it doesn't work and can't work? [https://wiki.jenkins.io/display/JENKINS/Permissive+Script+Security+Plugin]Like other users, our Jenkins is behind a VPN, and we have multiple Jenkins instances so that we don't have to deal with all the complexity of highly granular user/job/credential permissioning. Since all people who can login to a given instance are admins on that instance.. our experience is that none of script-security stuff adds security, it just degrades our stability.Please, can we just get a config option to just turn this off everywhere?
Add Comment
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
matt matthews commented on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Suggestign to just use shared/trusted libraries is not enough IMHO, we need a switch to turn this stuff off. as an example, today I have a basic Jenkinsfile that's throwing errors with [].tail(): Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tail java.lang.Object[]. Job console offers a link to go to the ScriptApproval URL to approve, but then it does not remember the approval.. I return to the job generating the error and then it happens again in exactly the same way, telling me to approve. There's nothing further I can even do here to debug that problem (which is just another distraction from the work I really want to do), so I get forced into rewrite `[].tail()` as different-but-equivalent groovy, something with `[].findAll{}`, which just works. So why is Jenkins not remembering the approvals? Why is `findAll` safer than `tail`? Why does this plugin exist in the ecosystem if it doesn't work and can't work? https://wiki.jenkins.io/display/JENKINS/Permissive+Script+Security+Plugin Like other users, our Jenkins is behind a VPN, and we have multiple Jenkins instances so that we don't have to deal with all the complexity of highly granular user/job/credential permissioning. Since all people who can login to a given instance are admins on that instance.. our experience is that none of script-security stuff adds security, it just degrades our stability. Please, can we just get a config option to just turn this off everywhere?
Add Comment
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Pavel Rogovoy updated an issue Jenkins / JENKINS-28178 Option to disable sandbox in CpsScmFlowDefinition Change By: Pavel Rogovoy Priority: Blocker Critical Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Pavel Rogovoy updated an issue Jenkins / JENKINS-28178 Option to disable sandbox in CpsScmFlowDefinition Change By: Pavel Rogovoy Priority: Critical Blocker Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Pavel Rogovoy updated an issue Jenkins / JENKINS-28178 Option to disable sandbox in CpsScmFlowDefinition Change By: Pavel Rogovoy Issue Type: Improvement Bug Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Pavel Rogovoy updated an issue Jenkins / JENKINS-28178 Option to disable sandbox in CpsScmFlowDefinition Change By: Pavel Rogovoy Priority: Major Critical Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Pavel Rogovoy commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition +1 for adding a feature to turn off the script security altogether. I spend a lot of time fighting with this even though everyone is admin on the team. "Permisssive Script Security" plugin is not the best solution as it doesn't work for us! I think this feature must be disabled altogether as it performs very awful as for today. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Jesse Glick assigned an issue to Unassigned Jenkins / JENKINS-28178 Option to disable sandbox in CpsScmFlowDefinition Change By: Jesse Glick Assignee: Federico Naum Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Federico Naum edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Hi Sorry for the noise, I got this working now. I re-read the documentation at https://jenkins.io/doc/book/pipeline/shared-libraries/ and found this piece of text which I think it was not there the first time I read it??For Shared Libraries which only define Global Variables (vars/), or a Jenkinsfile which only needs a Global Variable, the annotation pattern @Library('my-shared-library') _ may be useful for keeping code concise. In essence, instead of annotating an unnecessary import statement, the symbol _ is annotated.??Anyway, basically now (without using the [permissive plugin script|https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin] ) this is working using the notation by switching*@Library('library@BranchName') \_ * instead of: * @Library('library@BranchName')** import foo*where {{foo}} is a file in */var/foo.groovy* with the following notation: *@Library('library@BranchName') \_* I bit anti-intuitive for me, but hey.. I'm happy that this is working
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Federico Naum edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Hi Sorry for the noise, I got this working now. I re-read the documentation at https://jenkins.io/doc/book/pipeline/shared-libraries/ and found this piece of text which I think it was not there the first time I read it??For Shared Libraries which only define Global Variables (vars/), or a Jenkinsfile which only needs a Global Variable, the annotation pattern @Library('my-shared-library') _ may be useful for keeping code concise. In essence, instead of annotating an unnecessary import statement, the symbol _ is annotated.??Anyway, basically now (without using the [permissive plugin script|https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin] ) this is working using the notation*@Library('library@BranchName') \_*instead of:*@Library('library@BranchName')**import foo*where {{foo}} is a file in {{ * /var/foo.groovy }} *
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Federico Naum commented on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Hi Sorry for the noise, I got this working now. I re-read the documentation at https://jenkins.io/doc/book/pipeline/shared-libraries/ and found this piece of text which I think it was not there the first time I read it For Shared Libraries which only define Global Variables (vars/), or a Jenkinsfile which only needs a Global Variable, the annotation pattern @Library('my-shared-library') _ may be useful for keeping code concise. In essence, instead of annotating an unnecessary import statement, the symbol _ is annotated. Anyway, basically now (without using the permissive plugin script ) this is working using the notation @Library('library@BranchName') _ instead of: @Library('library@BranchName') import foo where foo is a file in {{ /var/foo.groovy}}
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Federico Naum edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Just checking if the issue I'm seeing is the same as this one.I have a [global shared library|https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Shared+Groovy+Libraries+Plugin] setup that works fine, but when I try to run something from a branch using the _Library ('library @ BranchName_ BranchName')_ notation I get the {{hudson.remoting.ProxyException: groovy.lang.MissingMethodException:}} exception The thing is that I'm running the job with the admin user which has full permissions. Also, the exception is not logged in under *In-process Script Approval* so I can not whitelist it.Is this another bug or is it the same? Do you need logs or something?Since we do trust all the authenticated users and since we are using github enterprise as the backend for the global shared library, we have every branch created and every commit logged, so I gave the [permissive plugin script|https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin] a try, but did not work. If the configuration toggle is not going to be implemented, I think my next step is to recompile this plugin with the sandbox disable?
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Federico Naum edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Just checking if the issue I'm seeing is the same as this one.I have a [ global shared library| http://example.com]( https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Shared+Groovy+Libraries+Plugin] setup that works fine, but when I try to run something from a branch using the _Library@BranchName_ notation I get the {{ hudson.remoting.ProxyException: groovy.lang.MissingMethodException:}} exception The thing is that I'm running the job with the admin user which has full permissions. Also, the exception is not logged in under *In-process Script Approval* so I can not whitelist it.Is this another bug or is it the same? Do you need logs or something?Since we do trust all the authenticated users and since we are using github enterprise as the backend for the global shared library, we have every branch created and every commit logged, so I gave the [permissive plugin script|https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin] a try, but did not work. If the configuration toggle is not going to be implemented, I think my next step is to recompile this plugin with the sandbox disable?
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Federico Naum edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Just checking if the issue I'm seeing is the same as this one.I have a _ [ global shared library_ library|http://example.com] (https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Shared+Groovy+Libraries+Plugin ) ] setup that works fine, but when I try to run something from a branch using the _Library@BranchName_ notation I get the {{ hudson.remoting.ProxyException: groovy.lang.MissingMethodException:}} exception The thing is that I'm running the job with the admin user which has full permissions. Also, the exception is not logged in under *In-process Script Approval* so I can not whitelist it.Is this another bug or is it the same? Do you need logs or something?Since we do trust all the authenticated users and since we are using github enterprise as the backend for the global shared library, we have every branch created and every commit logged, so I gave the [permissive plugin script| https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin ] a try, but did not work. If the configuration toggle is not going to be implemented, I think my next step is to recompile this plugin with the sandbox disable?
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Federico Naum commented on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Just checking if the issue I'm seeing is the same as this one. I have a _ global shared library_ (https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Shared+Groovy+Libraries+Plugin) setup that works fine, but when I try to run something from a branch using the Library@BranchName notation I get the {{ hudson.remoting.ProxyException: groovy.lang.MissingMethodException:}} exception The thing is that I'm running the job with the admin user which has full permissions. Also, the exception is not logged in under In-process Script Approval so I can not whitelist it. Is this another bug or is it the same? Do you need logs or something? Since we do trust all the authenticated users and since we are using github enterprise as the backend for the global shared library, we have every branch created and every commit logged, so I gave the https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+SecuIrity+Plugin a try, but did not work. If the configuration toggle is not going to be implemented, I think my next step is to recompile this plugin with the sandbox disable?
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Federico Naum assigned an issue to Federico Naum Jenkins / JENKINS-28178 Option to disable sandbox in CpsScmFlowDefinition Change By: Federico Naum Assignee: Jesse Glick Federico Naum Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Jesse Glick commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition Do not install that plugin unless as an admin you can verify that either all authenticated users are fully trusted, or there is no way anyone can either create jobs or edit Pipeline script. I really do not recommend it. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Danny Kirchmeier edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
> {quote} It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin? {quote} It appears someone may have created such a plugin: https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+Security+PluginI haven't had a chance to try this plugin out for myself, but it looks promising.
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Danny Kirchmeier commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition > It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin? It appears someone may have created such a plugin: https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+Security+Plugin I haven't had a chance to try this plugin out for myself, but it looks promising. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Patrick Wolf edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Regarding the sandbox there are a few things I wanted to point out:* The built in whitelist (and blacklist) for Script Security is available in GitHub and can be updated via a Pull Request to add more signatures. This is a great way to add common, safe functions to the sandbox that benefits everyone:** [Whitelists| https://github.com/jenkinsci/script-security-plugin/tree/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists ] ** [Ticket on how to update whitelist| https://issues.jenkins-ci.org/browse/JENKINS-25804 ] * If you create a Shared library at the Jenkins master level all functions in this library are assumed to be safe (users must have run_script access to create add these libraries) and will bypass the sandbox.** [Shared Libraries| https://github.com/jenkinsci/workflow-cps-global-lib-plugin ] * As I mentioned in a previous comment above it is possible to append or override the Sandbox with a plugin. It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin?** [Comment| https://issues.jenkins-ci.org/browse/JENKINS-28178?focusedCommentId=255040=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-255040 ] * Lastly, Andrew Bayer ([~abayer]) presented the new Declarative Pipeline syntax at Jenkins World. This is installed with the {{pipeline-model-definition}} plugin. This plugin extends Pipeline to include a declarative syntax that does not allow imperative scripting but simplifies the construction of pipeline stages, notifications, docker images, etc to execute pipeline steps. Having end users build their Pipelines using the declarative model with no scripting also allows any syntax errors to be found during compilation, instead of runtime, and should not trigger any script security errors, any Groovy methods would be built into the step definitions themselves.
Add Comment
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title
Patrick Wolf edited a comment on JENKINS-28178
Re: Option to disable sandbox in CpsScmFlowDefinition
Regarding the sandbox there are a few things I wanted to point out:* The built in whitelist (and blacklist) for Script Security is available in GitHub and can be updated via a Pull Request to add more signatures. This is a great way to add common, safe functions to the sandbox that benefits everyone:** https://github.com/jenkinsci/script-security-plugin/tree/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists** https://issues.jenkins-ci.org/browse/JENKINS-25804* If you create a Shared library at the Jenkins master level all functions in this library are assumed to be safe (users must have run_script access to create add these libraries) and will bypass the sandbox.** https://github.com/jenkinsci/workflow-cps-global-lib-plugin*As I mentioned in a previous comment above it is possible to append or override the Sandbox with a plugin. It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin?** https://issues.jenkins-ci.org/browse/JENKINS-28178?focusedCommentId=255040=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-255040* Lastly, Andrew Bayer ([~abayer]) presented the new Declarative Pipeline syntax at Jenkins World. This is installed with the {{pipeline-model-definition}} plugin. This plugin extends Pipeline to include a declarative syntax that does not allow imperative scripting but simplifies the construction of pipeline stages, notifications, docker images, etc to execute pipeline steps. Having end users build their Pipelines using the declarative model with no scripting also allows any syntax errors to be found during compilation, instead of runtime, and should not trigger any script security errors, any Groovy methods would be built into the step definitions themselves.
Add Comment
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Patrick Wolf commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition Regarding the sandbox there are a few things I wanted to point out: The built in whitelist (and blacklist) for Script Security is available in GitHub and can be updated via a Pull Request to add more signatures. This is a great way to add common, safe functions to the sandbox that benefits everyone: https://github.com/jenkinsci/script-security-plugin/tree/master/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists https://issues.jenkins-ci.org/browse/JENKINS-25804 If you create a Shared library at the Jenkins master level all functions in this library are assumed to be safe (users must have run_script access to create add these libraries) and will bypass the sandbox. https://github.com/jenkinsci/workflow-cps-global-lib-plugin *As I mentioned in a previous comment above it is possible to append or override the Sandbox with a plugin. It would be possible to create a plugin that whitelisted everything automatically. It would not disable the sandbox but would make it allow everything. Creating this functionality as a separate plugin would be preferable to having it as part of the core functionality. This way users who want to disable the sandbox can actively do so but others aren't exposed to large security holes through misconfigurations. Can we get someone to volunteer to create such a plugin? https://issues.jenkins-ci.org/browse/JENKINS-28178?focusedCommentId=255040=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-255040 Lastly, Andrew Bayer (Andrew Bayer) presented the new Declarative Pipeline syntax at Jenkins World. This is installed with the pipeline-model-definition plugin. This plugin extends Pipeline to include a declarative syntax that does not allow imperative scripting but simplifies the construction of pipeline stages, notifications, docker images, etc to execute pipeline steps. Having end users build their Pipelines using the declarative model with no scripting also allows any syntax errors to be found during compilation, instead of runtime, and should not trigger any script security errors, any Groovy methods would be built into the step definitions themselves.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title James Sandlin edited a comment on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition Yeah we have a very small team that manages builds for 400+ DEV & QA. Our scripts & servers are a locked down (2FA) environment to which only 5 people have access. If I can trust these 5 people with root access to a Fortune 500 company's production systems, I think I can trust them in Jenkins. Having Jenkins in this locked down environment, we are obligated to provide data to developers via in house scripting. Sadly we must write apps that run outside Jenkins to get data via the REST API and process for display. With the capabilities of Java sitting there behind our Pipeline scripts, it's very frustrating I can't utilize said capabilities. Another option: Allow wildcards in the exception list so I can just add .* as allowed. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title James Sandlin commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition Yeah we have a very small team that manages builds for 400+ DEV & QA. Our scripts & servers are a locked down (2FA) environment to which only 5 people have access. If I can trust these 5 people with root access to a Fortune 500 company's production systems, I think I can trust them in Jenkins. Having Jenkins in this locked down environment, we are obligated to provide data to developers via in house scripting. Sadly we must write apps that run outside Jenkins to get data via the REST API and process for display. With the capabilities of Java sitting there behind our Pipeline scripts, it's very frustrating I can't utilize said capabilities. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Jimmy Ray edited a comment on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition So, I know I am late to the party on this one, but we have been struggling with similar issues, making choices whether or not to use `` CpsScmFlowDefinition `` or ` CpsFlowDefinition ` . And it comes down to forced sandbox. We considered rewriting the plugin, but we don't see that as a sustainable approach. There are a lot of additional functionality that we would like to use. I understand the security concerns around allowing sandbox behavior to be disabled at the job level. It's the tug-of-war between DEV and OPS. However, I would love to have this functionality. Is toggling the sandbox behavior for ` CpsScmFlowDefinition ` being considered? Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Jimmy Ray commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition So, I know I am late to the party on this one, but we have been struggling with similar issues, making choices whether or not to use `CpsScmFlowDefinition` or `CpsFlowDefinition`. And it comes down to forced sandbox. We considered rewriting the plugin, but we don't see that as a sustainable approach. There are a lot of additional functionality that we would like to use. I understand the security concerns around allowing sandbox behavior to be disabled at the job level. It's the tug-of-war between DEV and OPS. However, I would love to have this functionality. Is toggling the sandbox behavior for `CpsScmFlowDefinition` being considered? Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Jimmy Ray edited a comment on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition So, I know I am late to the party on this one, but we have been struggling with similar issues, making choices whether or not to use ` ` CpsScmFlowDefinition` ` or `CpsFlowDefinition`. And it comes down to forced sandbox. We considered rewriting the plugin, but we don't see that as a sustainable approach. There are a lot of additional functionality that we would like to use. I understand the security concerns around allowing sandbox behavior to be disabled at the job level. It's the tug-of-war between DEV and OPS. However, I would love to have this functionality. Is toggling the sandbox behavior for `CpsScmFlowDefinition` being considered? Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Jesse Glick commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition Faheem Nadeem whatever your issue is, it is not this. Given JENKINS-31155 and its supported for trusted libraries which wrap otherwise unsafe calls, I am even less inclined to touch this. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Jesse Glick updated an issue Jenkins / JENKINS-28178 Option to disable sandbox in CpsScmFlowDefinition Change By: Jesse Glick Component/s: workflow-cps-plugin Component/s: pipeline Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-28178) Option to disable sandbox in CpsScmFlowDefinition
Title: Message Title Volker Gimple commented on JENKINS-28178 Re: Option to disable sandbox in CpsScmFlowDefinition Thank you Danny - you made my day! Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
