受影响版本:<= 1.53
修复建议:将Script Security Plugin升级到1.54
官方通告:https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336
插件官方diff:
https://github.com/jenkinsci/script-security-plugin/commit/f2649a7c0757aad0f6b4642c7ef0dd44c8fea434
貌似问题出在:
GroovySandbox#run(Script, Whitelist)
根据Jenkins的wiki,知道这个插件是
Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.
让Jenkins的管理员管控低权限的用户可以执行什么样的脚本。
关于这个插件的由来,官方给出了解释:
Various Jenkins plugins require that users define custom scripts, most commonly in the Groovy language, to customize Jenkins’s behavior. If everyone who writes these scripts is a Jenkins administrator—specifically if they have the Overall/RunScripts permission, used for example by the Script Console link—then they can write whatever scripts they like. These scripts may directly refer to internal Jenkins objects using the same API offered to plugins. Such users must be completely trusted, as they can do anything to Jenkins (even changing its security settings or running shell commands on the server).
However, if some script authors are “regular users” with only more limited permissions, such as Job/Configure, it is inappropriate to let them run arbitrary scripts. To support such a division of roles, the Script Security library plugin can be integrated into various feature plugins. It supports two related systems: script approval, and Groovy sandboxing.
大致意思是,Jenkins的很多插件都要求用户自定义脚本,这些脚本一般都是Groovy语言写的。如果写这些的脚本的都是管理员那还好说,因为他们有Overall/RunScripts权限,他们本来就可以执行任意脚本(by Design)。
但是,如果只是有限权限的普通用户,比如只有Job/Configure权限,再让他们运行任意脚本就不合适了。为了适应这种情况,我们将Script Security插件继承到了各种功能的插件中,给管理员来管理普通用户执行Groovy脚本的权限。分两种情况:
Script Approval(脚本运行许可权)
就是运行执行任意脚本,但是得管理员同意才行。脚本们会排着队,等待管理员的审批,即所谓的In-process Script Approval
Groovy Sandboxing(Groovy脚本沙箱化)
但是总等着管理员审批也不是个事儿啊,有时候项目紧时间少,一点小的改动就得排队等管理员审批,那不得等到项目都黄了?所以,作为一个可选项,Script Security系统可以让Groovy脚本无需审批就得以执行,只要保证它自身是安全无害的就行。脚本运行的时候,每个method call, object construction, and field access 都会放到一个"允许操作"的whitelist里检查。如果发现了"不允许操作"的操作,脚本立刻被杀掉,然后相应的功能就不能按预设的使用。
Script Security插件自带了一个小的默认whitelist,相关集成了Script Security插件的插件可以添加额外的操作到名单里,
后话
后来看到CVE-2019-1003040
发现原来1.55版本都不安全了:
Sandbox projection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.
https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353
看了一眼我都plugin manager,发现最新版已经是1.59了,所以这个修复建议,还是升级到1.56或以上吧。
扫一扫
4668
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
