Skip to content

[JENKINS-68404] Add ScriptUsageListener to track Groovy scripts #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
PierreBtz merged 12 commits into from
Aug 31, 2025
Merged

[JENKINS-68404] Add ScriptUsageListener to track Groovy scripts #72

PierreBtz merged 12 commits into from
Aug 31, 2025

Conversation

@meiswjn
Copy link
Contributor

@meiswjn meiswjn commented May 17, 2022
edited
Loading

This PR relates to jenkinsci/jenkins#6539, jenkinsci/script-security-plugin#416 and https://issues.jenkins.io/browse/JENKINS-68404. It serves the purpose to track potentially dangerous usages of groovy scripts.

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@meiswjn meiswjn mentioned this pull request May 17, 2022
Closed
11 tasks
@meiswjn
Copy link
Contributor Author

meiswjn commented Mar 21, 2024

With jenkinsci/jenkins#7056 being merged, I will continue on this PR soon :)

@PierreBtz
Copy link
Contributor

PierreBtz commented Apr 10, 2024

Thanks! Most of the conflicts you'll see are due to the introduction of spotless on the codeline.

@jglick
Copy link
Member

jglick commented Aug 28, 2024

Still active?

@meiswjn
Copy link
Contributor Author

meiswjn commented Sep 9, 2024

Still active?

Since I would love to see this feature, yes. However, there are many other more pressing things right now, but I definitely want to do this. However, if someone stumbles upon this before I find time, feel free!

@PierreBtz
Merge remote-tracking branch 'upstream/HEAD' into feature/script-list…
e93987e 
…ener

# Conflicts:
#	pom.xml
#	src/main/java/hudson/plugins/audit_trail/AuditTrailPlugin.java
#	src/test/java/hudson/plugins/audit_trail/ConfigurationAsCodeTest.java
#	src/test/java/hudson/plugins/audit_trail/SimpleAuditTrailPluginConfiguratorHelper.java
@PierreBtz
Fix formatting after branch refresh
800c1b7
@PierreBtz
Adapt to the new ScriptListener API
9ba6c40
@PierreBtz PierreBtz marked this pull request as ready for review August 16, 2025 14:10
@PierreBtz
Copy link
Contributor

PierreBtz commented Aug 16, 2025

@meiswjn I took the liberty of refreshing this PR and adapting to the new ScriptListener API.
The migration to the new API is mostly straighforward, except for the source object which does not exist in Daniel's API.

I wrote a simple mapper to transform the feature object we now receive to the source object you had in order to keep the spirit of what you originally wrote.

@meiswjn meiswjn requested a review from timja August 20, 2025 13:01
@meiswjn
Copy link
Contributor Author

meiswjn commented Aug 20, 2025

That's great, thanks @PierreBtz! Much appreciated.
Looking forward to have this reviewed.

@PierreBtz
Copy link
Contributor

PierreBtz commented Aug 20, 2025
edited
Loading

Well the problem is to find reviewers since I'm the only maintainer of the plugin.
I'll leave this open for some time and end up merging if nobody comes forward.

timja
timja approved these changes Aug 20, 2025
View reviewed changes
src/main/java/hudson/plugins/audit_trail/ScriptUsageListener.java
builder.append(script);
String log = builder.toString();
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.log(Level.FINE, "Detected groovy script usage, details: {0}", new Object[] {log});
Copy link
Member

@timja timja Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would be wary about logging scripts, this is user controlled input data, they may be able to print data that messes with viewing of other logs?

FINE does mitigate the concern a bit though as it is only there for troubleshooting

Copy link
Contributor

@PierreBtz PierreBtz Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair concern especially when you still have log4shell in mind :)
That beeing said, I'd say that the FINE level mitigates the issue enough.

PierreBtz
PierreBtz reviewed Aug 31, 2025
View reviewed changes
@PierreBtz PierreBtz merged commit 09bbe2c into jenkinsci:master Aug 31, 2025
17 checks passed
@meiswjn
Copy link
Contributor Author

meiswjn commented Sep 26, 2025

Thanks @PierreBtz!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PierreBtz PierreBtz PierreBtz left review comments

@timja timja timja approved these changes

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@meiswjn @PierreBtz @jglick @timja