Merge branch 'master' into CpsStepContext.completed

Author: jglick

.github/workflows/cd.yaml

@@ -31,7 +31,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Check interesting categories
-        uses: jenkins-infra/interesting-category-action@v1.0.0
+        uses: jenkins-infra/interesting-category-action@v1.1.0
         id: interesting-categories
         if: steps.verify-ci-status.outputs.result == 'success'
         with:
@@ -47,12 +47,12 @@ jobs:
       with:
         fetch-depth: 0
     - name: Set up JDK 8
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@v3
       with:
-        distribution: 'adopt'
+        distribution: temurin
         java-version: 8
     - name: Release
-      uses: jenkins-infra/jenkins-maven-cd-action@v1.2.0
+      uses: jenkins-infra/jenkins-maven-cd-action@v1.3.0
       with:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}

pom.xml

@@ -101,6 +101,7 @@
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>script-security</artifactId>
+            <version>1172.v35f6a_0b_8207e</version> <!-- TODO: Remove once this version is included in BOM. -->
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
@@ -148,6 +149,7 @@
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
             <artifactId>workflow-job</artifactId>
             <scope>test</scope>
+            <version>1181.va_25d15548158</version> <!-- TODO: Remove once this version is included in BOM. -->
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>

src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java

@@ -24,6 +24,7 @@
 
 package org.jenkinsci.plugins.workflow.cps;
 
+import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
 import hudson.model.Action;
 import hudson.model.Item;
@@ -33,6 +34,8 @@
 import hudson.model.TaskListener;
 import hudson.util.FormValidation;
 import hudson.util.StreamTaskListener;
+import net.sf.json.JSONObject;
+import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.workflow.cps.persistence.PersistIn;
 import org.jenkinsci.plugins.workflow.flow.DurabilityHintProvider;
 import org.jenkinsci.plugins.workflow.flow.FlowDefinition;
@@ -80,7 +83,8 @@ public CpsFlowDefinition(String script) {
     @DataBoundConstructor
     public CpsFlowDefinition(String script, boolean sandbox) {
         StaplerRequest req = Stapler.getCurrentRequest();
-        this.script = sandbox ? script : ScriptApproval.get().configuring(script, GroovyLanguage.get(), ApprovalContext.create().withCurrentUser().withItemAsKey(req != null ? req.findAncestorObject(Item.class) : null));
+        this.script = sandbox ? script : ScriptApproval.get().configuring(script, GroovyLanguage.get(),
+                ApprovalContext.create().withCurrentUser().withItemAsKey(req != null ? req.findAncestorObject(Item.class) : null), req == null);
         this.sandbox = sandbox;
     }
 
@@ -123,14 +127,41 @@ public CpsFlowExecution create(FlowExecutionOwner owner, TaskListener listener,
     @Extension
     public static class DescriptorImpl extends FlowDefinitionDescriptor {
 
+        /* In order to fix SECURITY-2450 without causing significant UX regressions, we decided to continue to
+         * automatically approve scripts on save if the script was modified by an administrator. To make this possible,
+         * we added a new hidden input field to the config.jelly to track the pre-save version of the script. Since
+         * CpsFlowDefinition calls ScriptApproval.configuring in its @DataBoundConstructor, the normal way to handle
+         * things would be to add an oldScript parameter to the constructor and perform the relevant logic there.
+         *
+         * However, that would have compatibility implications for tools like JobDSL, since @DataBoundConstructor
+         * parameters are required. We cannot use a @DataBoundSetter with a corresponding field and getter to trivially
+         * make oldScript optional, because we would need to call ScriptApproval.configuring after all
+         * @DataBoundSetters have been invoked (rather than in the @DataBoundConstructor), which is why we use Descriptor.newInstance.
+         */
+        @Override
+        public FlowDefinition newInstance(@NonNull StaplerRequest req, @NonNull JSONObject formData) throws FormException {
+            CpsFlowDefinition cpsFlowDefinition = (CpsFlowDefinition) super.newInstance(req, formData);
+            if (!cpsFlowDefinition.sandbox && formData.get("oldScript") != null) {
+                String oldScript = formData.getString("oldScript");
+                boolean approveIfAdmin = !StringUtils.equals(oldScript, cpsFlowDefinition.script);
+                if (approveIfAdmin) {
+                    ScriptApproval.get().configuring(cpsFlowDefinition.script, GroovyLanguage.get(),
+                            ApprovalContext.create().withCurrentUser().withItemAsKey(req.findAncestorObject(Item.class)), true);
+                }
+            }
+            return cpsFlowDefinition;
+        }
+
         @Override
         public String getDisplayName() {
             return "Pipeline script";
         }
 
         @RequirePOST
-        public FormValidation doCheckScript(@QueryParameter String value, @QueryParameter boolean sandbox) {
-            return sandbox ? FormValidation.ok() : ScriptApproval.get().checking(value, GroovyLanguage.get());
+        public FormValidation doCheckScript(@QueryParameter String value, @QueryParameter String oldScript,
+                                            @QueryParameter boolean sandbox) {
+            return sandbox ? FormValidation.ok() :
+                    ScriptApproval.get().checking(value, GroovyLanguage.get(), !StringUtils.equals(oldScript, value));
         }
 
         @RequirePOST

src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java

@@ -111,7 +111,7 @@ private ImportCustomizer makeImportCustomizer() {
 
     private ClassLoader makeClassLoader() {
         ClassLoader cl = Jenkins.get().getPluginManager().uberClassLoader;
-        return GroovySandbox.createSecureClassLoader(cl);
+        return new GroovySourceFileAllowlist.ClassLoaderImpl(execution, GroovySandbox.createSecureClassLoader(cl));
     }
 
     public CpsGroovyShell build() {

src/main/java/org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.java

@@ -0,0 +1,226 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2022 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.jenkinsci.plugins.workflow.cps;
+
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import hudson.Extension;
+import hudson.ExtensionList;
+import hudson.ExtensionPoint;
+import hudson.Main;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import jenkins.util.SystemProperties;
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * Determines what Groovy source files can be loaded in Pipelines.
+ *
+ * In Pipeline, the standard behavior of {@code GroovyClassLoader} would allow Groovy source files from core or plugins
+ * to be loaded as long as they are somewhere on the classpath. This includes things like Groovy views, which are not
+ * intended to be available to pipelines. When these files are loaded, they are loaded by the trusted
+ * {@link CpsGroovyShell} and are not sandbox-transformed, which means that allowing arbitrary Groovy source files to
+ * be loaded is potentially unsafe.
+ *
+ * {@link ClassLoaderImpl} blocks all Groovy source files from being loaded by default unless they are allowed by an
+ * implementation of this extension point.
+ */
+public abstract class GroovySourceFileAllowlist implements ExtensionPoint {
+    private static final Logger LOGGER = Logger.getLogger(GroovySourceFileAllowlist.class.getName());
+    private static final String DISABLED_PROPERTY = GroovySourceFileAllowlist.class.getName() + ".DISABLED";
+    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "Non-final for script console access")
+    static boolean DISABLED = SystemProperties.getBoolean(DISABLED_PROPERTY);
+
+    /**
+     * Checks whether a given Groovy source file is allowed to be loaded by {@link CpsFlowExecution#getTrustedShell}.
+     *
+     * @param groovySourceFileUrl the absolute URL to the Groovy source file as returned by {@link ClassLoader#getResource}
+     * @return {@code true} if the Groovy source file may be loaded, {@code false} otherwise
+     */
+    public abstract boolean isAllowed(String groovySourceFileUrl);
+
+    public static List<GroovySourceFileAllowlist> all() {
+        return ExtensionList.lookup(GroovySourceFileAllowlist.class);
+    }
+
+    /**
+    * {@link ClassLoader} that acts normally except for returning {@code null} from {@link #getResource} and
+    * {@link #getResources} when looking up Groovy source files if the files are not allowed by
+    * {@link GroovySourceFileAllowlist}.
+    */
+    static class ClassLoaderImpl extends ClassLoader {
+        private static final String LOG_MESSAGE_TEMPLATE =
+                "Preventing {0} from being loaded without sandbox protection in {1}. " +
+                "To allow access to this file, add any suffix of its URL to the system property ‘" +
+                DefaultAllowlist.ALLOWED_SOURCE_FILES_PROPERTY + "’ (use commas to separate multiple files). If you " +
+                "want to allow any Groovy file on the Jenkins classpath to be accessed, you may set the system " +
+                "property ‘" + DISABLED_PROPERTY + "’ to true.";
+
+        private final String owner;
+
+        public ClassLoaderImpl(@CheckForNull CpsFlowExecution execution, ClassLoader parent) {
+            super(parent);
+            this.owner = describeOwner(execution);
+        }
+
+        private static String describeOwner(@CheckForNull CpsFlowExecution execution) {
+            if (execution != null) {
+                try {
+                    return execution.getOwner().getExecutable().toString();
+                } catch (IOException e) {
+                    // Not significant in this context.
+                }
+            }
+            return "unknown";
+        }
+
+        @Override
+        public URL getResource(String name) {
+            URL url = super.getResource(name);
+            if (DISABLED || url == null || !endsWithIgnoreCase(name, ".groovy") || isAllowed(url)) {
+                return url;
+            }
+            // Note: This message gets printed twice because of https://github.com/apache/groovy/blob/41b990d0a20e442f29247f0e04cbed900f3dcad4/src/main/org/codehaus/groovy/control/ClassNodeResolver.java#L184-L186.
+            LOGGER.log(Level.WARNING, LOG_MESSAGE_TEMPLATE, new Object[] { url, owner });
+            return null;
+        }
+
+        @Override
+        public Enumeration<URL> getResources(String name) throws IOException {
+            Enumeration<URL> urls = super.getResources(name);
+            if (DISABLED || !urls.hasMoreElements() || !endsWithIgnoreCase(name, ".groovy")) {
+                return urls;
+            }
+            List<URL> filteredUrls = new ArrayList<>();
+            while (urls.hasMoreElements()) {
+                URL url = urls.nextElement();
+                if (isAllowed(url)) {
+                    filteredUrls.add(url);
+                } else {
+                    LOGGER.log(Level.WARNING, LOG_MESSAGE_TEMPLATE, new Object[] { url, owner });
+                }
+            }
+            return Collections.enumeration(filteredUrls);
+        }
+
+        private static boolean isAllowed(URL url) {
+            String urlString = url.toString();
+            for (GroovySourceFileAllowlist allowlist : GroovySourceFileAllowlist.all()) {
+                if (allowlist.isAllowed(urlString)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        private static boolean endsWithIgnoreCase(String value, String suffix) {
+            int suffixLength = suffix.length();
+            return value.regionMatches(true, value.length() - suffixLength, suffix, 0, suffixLength);
+        }
+    }
+
+    /**
+     * Allows Groovy source files used to implement DSLs in plugins that were created before
+     * {@link GroovySourceFileAllowlist} was introduced.
+     */
+    @Extension
+    public static class DefaultAllowlist extends GroovySourceFileAllowlist {
+        private static final Logger LOGGER = Logger.getLogger(DefaultAllowlist.class.getName());
+        private static final String ALLOWED_SOURCE_FILES_PROPERTY = DefaultAllowlist.class.getCanonicalName() + ".ALLOWED_SOURCE_FILES";
+        /**
+         * A list containing suffixes of known-good Groovy source file URLs that need to be accessible to Pipeline code.
+         */
+        /* Note: Actual ClassLoader resource URLs depend on environmental factors such as webroot settings and whether
+         * we are currently testing one of the plugins in the list, so default-allowlist only contains the path
+         * component of the resource URLs, and we allow any resource URL that ends with one of the entries in the list.
+         *
+         * We could try to load the exact URLs at runtime, but then we would have to account for dynamic plugin loading
+         * (especially when a new Jenkins controller is initialized) and the fact that workflow-cps is always a
+         * dependency of these plugins.
+         */
+        static final List<String> ALLOWED_SOURCE_FILES = new ArrayList<>();
+
+        public DefaultAllowlist() throws IOException {
+            // We load custom entries first to improve performance in case .groovy is used for the property.
+            String propertyValue = SystemProperties.getString(ALLOWED_SOURCE_FILES_PROPERTY, "");
+            for (String groovyFile : propertyValue.split(",")) {
+                groovyFile = StringUtils.trimToNull(groovyFile);
+                if (groovyFile != null) {
+                    if (groovyFile.endsWith(".groovy")) {
+                        ALLOWED_SOURCE_FILES.add(groovyFile);
+                        LOGGER.log(Level.INFO, "Allowing Pipelines to access {0}", groovyFile);
+                    } else {
+                        LOGGER.log(Level.WARNING, "Ignoring invalid Groovy source file: {0}", groovyFile);
+                    }
+                }
+            }
+            loadDefaultAllowlist(ALLOWED_SOURCE_FILES);
+            // Some plugins use test-specific Groovy DSLs.
+            if (Main.isUnitTest) {
+                ALLOWED_SOURCE_FILES.addAll(Arrays.asList(
+                        // pipeline-model-definition
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelAndOtherFieldAgentScript.groovy",
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStageNameTestConditionalScript.groovy",
+                        "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStepCountTestConditionalScript.groovy"
+                ));
+            }
+        }
+
+        private static void loadDefaultAllowlist(List<String> allowlist) throws IOException {
+            try (InputStream is = GroovySourceFileAllowlist.class.getResourceAsStream("GroovySourceFileAllowlist/default-allowlist");
+                    BufferedReader reader = new BufferedReader(new InputStreamReader(is, StandardCharsets.UTF_8));) {
+                String line;
+                while ((line = reader.readLine()) != null) {
+                    line = line.trim();
+                    if (!line.isEmpty() && !line.startsWith("#")) {
+                        allowlist.add(line);
+                    }
+                }
+            }
+        }
+
+        @Override
+        public boolean isAllowed(String groovySourceFileUrl) {
+            for (String sourceFile : ALLOWED_SOURCE_FILES) {
+                if (groovySourceFileUrl.endsWith(sourceFile)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+    }
+
+}

src/main/resources/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition/config.jelly

@@ -24,6 +24,7 @@
   -->
 
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler" xmlns:wfe="/org/jenkinsci/plugins/workflow/editor">
+  <input type="hidden" name="oldScript" value="${instance.script}"/>
   <f:entry title="${%Script}" field="script">
     <wfe:workflow-editor />
   </f:entry>