/
filepath-filter.conf
49 lines (42 loc) · 2.67 KB
/
filepath-filter.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# GENERATED FILE. DO NOT MODIFY.
#
# This file is for Jenkins core developers to list what we think are the best filtering rules
# for apparently harmless accesses to files on the Jenkins master from agents.
#
# To override these rules, place *.conf files by other names into this folder. Files are sorted
# before parsed, so using a lower number allows you to override what we have here. This file
# gets overwritten every time Jenkins starts.
#
# See https://www.jenkins.io/redirect/security-144 for more details.
# This directory contains credentials, master encryption keys, and other sensitive information
# that agents have absolutely no business with.
# Unless there are rules in other files allowing access to other portions of $JENKINS_HOME,
# this rule as it stands here has no effect, because anything left unspecified is rejected.
deny all <JENKINS_HOME>/secrets($|/.*)
# User content is publicly readable, so quite safe for agents to read, too.
# (The xunit plugin is known to read from here.)
# https://www.jenkins.io/redirect/user-content-directory
allow read,stat <JENKINS_HOME>/userContent($|/.*)
# In the next rule we grant general access under build directories, so first we protect
# the actual build record that Jenkins core reads, which nothing should be touching.
deny all <BUILDDIR>/build.xml
# Similarly for Pipeline build (WorkflowRun) metadata:
deny all <BUILDDIR>/program.dat
deny all <BUILDDIR>/workflow($|/.*)
deny all <BUILDDIR>/libs($|/.*)
deny all <BUILDDIR>/checkpoints($|/.*)
# Various plugins read/write files under build directories, so allow them all.
# - git 1.x writes changelog.xml from the agent (2.x writes from the master so need not be listed)
# - analysis-core and plugins based on it write reports to workspace-files/
# - cobertura writes coverage.xml
# - violations writes violations.xml and other content under violations/
# - dependency-check writes archive/artifacts.txt
# But not allowing deletion to prevent data loss and symlink to prevent jailbreaking.
allow create,mkdirs,read,stat,write <BUILDDIR>/.+
# cobertura also writes out annotated sources to a dir under the Maven module:
allow create,mkdirs,read,stat,write <JOBDIR>/modules/([^/]+)/cobertura($|/.*)
# Some maven-plugin reporters also create content outside of build directories (including one in cobertura but that is covered above):
allow create,mkdirs,read,stat,write <JENKINS_HOME>(/jobs/([^/]+))+(|/modules/([^/]+))/(javadoc|test-javadoc)($|/.*)
allow create,mkdirs,read,stat,write <JENKINS_HOME>(/jobs/([^/]+))+/site($|/.*)
# all the other accesses that aren't specified here will be left up to other rules in this directory.
# if no rules in those other files matches, then the access will be rejected.