New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-33256] Untrusted PRs #29
[JENKINS-33256] Untrusted PRs #29
Conversation
Looks great, waiting for |
LGTM |
@@ -50,7 +51,7 @@ | |||
<dependency> | |||
<groupId>org.jenkins-ci.plugins</groupId> | |||
<artifactId>github-api</artifactId> | |||
<version>1.71</version> | |||
<version>1.72</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really necessary, but somehow @kohsuke seems to have published 1.71 without a *-sources.jar
, making it harder to debug issues.
This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation. |
Now when you build cloudbeers/PR-demo#6 you see a warning in the build log that the PR is untrusted (there is also a matching warning in branch indexing), and |
Thank you for this pull request! Please check this document for how the Jenkins project handles pull requests. |
* Quickest is to check whether the author of the PR | ||
* <a href="https://developer.github.com/v3/repos/collaborators/#check-if-a-user-is-a-collaborator">is a collaborator of the repository</a>. | ||
* By checking <a href="https://developer.github.com/v3/repos/collaborators/#list-collaborators">all collaborators</a> | ||
* it is possible to further ascertain if they are in a team which was specifically granted push permission, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cf. this tip. To check its effectiveness:
if curl -u YOU:ACCESSTOKEN -s -f https://api.github.com/repos/ORG/REPO/collaborators/SOMEONE; then echo trusted; else echo untrusted; fi
Currently gives a false positive for people in a read-only team (which almost certainly means a private organization). I think this is a low risk; presumably such people are known to the administrator of the organization and would be leaving a clear audit trail if they attempted to file a PR with any kind of malicious content.
Since this API does not return a permissions
set, the only way to verify that push
permission is granted is to retrieve the full collaborators list and search for the user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 @jglick I'd like to review the PR this night, please, give some of time before merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Specifically you can use jq
curl -u YOU:ACCESSTOKEN -s https://api.github.com/repos/ORG/REPO/collaborators | jq '.[] | .login, .permissions.push'
but you need to manually follow Link
headers with rel="next"
.
🐝 |
IIUC for an untrusted PR this is going to build the synthetic merge commit but using the |
From
GitHub calls it a “base” branch, but yes.
Yes.
No. I actually (tried to) explain this exact point earlier to @kzantow; see above thread. |
Ok, in tests we trust :) Although I don't get how it works, I'll try to investigate later by myself 🐝 |
Ah, ok. |
Right.
Once the code to define |
Everything is clear now, thanks for the explanation! |
🐝 yes, much more clear after your explanations, thanks @jglick |
@reviewbybees done but deferring a merge until after a proposed plugin release. |
/** | ||
* Revision of a pull request which should load sensitive files from the base branch. | ||
*/ | ||
class UntrustedPullRequestSCMRevision extends AbstractGitSCMSource.SCMRevisionImpl { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jglick Why not simplify PullRequestSCMRevision
with a field boolean trusted
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no such class. Now as previously mentioned, it might be valuable to create such a class to solve things like JENKINS-33161 and JENKINS-33237 as well as correcting the retrieve
overload bug, so it might be advisable to do that now to simplify the settings migration. (It is always possible to deprecate this class and readResolve
to something else, but leaves behind a small mess in the code.)
🐝 belated |
Getting this exception after branch discovery (branches matching the criteria are discovered successfully but the
Using |
@amuniz yeah I saw the same error. Cannot imagine how it could be a consequence of this PR, but you never know. I suspect it has something to do with a mixture of plugins built against Java 6 and 7. I will dig into it.
Unnecessary, since the 1.15 release should have everything. |
Yeah, I realized just now. And BTW I'm unable to manually test this PR because the fail is consistent (at least using |
The issue is that this plugin defines its Jenkins baseline as 1.609.3 while it's using |
When the untrusted PR is filed against a branch that does not have a Jenkinsfile, then this message is shown:
I guess it is as designed because there is no |
I asked @dariver (thanks!) to create a PR in a repository where he is not registered as collaborator and his PR was correctly untrusted. After that I added him as collaborator and forced a re-index, then his changes on In conclusion, I think this is working like a charm, mega-:bee: Note: about the issue with |
Ah right. |
Well…not exactly “designed”, but I suppose an acceptable consequence. Means that if you want to use a PR to add a
Possible, or you can just test by other means: |
JENKINS-33256
Downstream of jenkinsci/scm-api-plugin#5 and (implicitly) jenkinsci/pipeline-plugin#244.
PR-demo
modifyingJenkinsfile
from an outsider: Bad update to Jenkinsfile cloudbeers/PR-demo#6@reviewbybees esp. @stephenc, @recena