selenium-plugin icon indicating copy to clipboard operation
selenium-plugin copied to clipboard
verified publisher icon jenkinsci

Implement fix for access control

Open patcadelina opened this issue 7 years ago • 1 comments

Slave To Master Access Control documents the need for plugins to properly implement access control so that whitelisting <JENKINS_HOME>/plugins/selenium/.* in <JENKINS_HOME>/secrets/filepath-filters.d/50-gui.conf would not be necessary.

Logs:

Starting Selenium nodes on <redacted>

Ouch:
java.io.IOException: Failed to copy <JENKINS_HOME>/plugins/selenium/WEB-INF/lib/selenium-server-standalone-3.12.0.jar to C:\Users\Administrator\selenium-server-standalone-3.12.0.jar
	at hudson.FilePath.copyTo(FilePath.java:2233)
	at hudson.plugins.selenium.callables.SeleniumCallable.invoke(SeleniumCallable.java:76)
	at hudson.plugins.selenium.callables.SeleniumCallable.invoke(SeleniumCallable.java:23)
	at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3085)
	at hudson.remoting.UserRequest.perform(UserRequest.java:212)
	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
	at hudson.remoting.Request$2.run(Request.java:369)
	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
	Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to Selenium (sir-nssig92k)
		at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1741)
		at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357)
		at hudson.remoting.Channel.call(Channel.java:955)
		at hudson.FilePath.act(FilePath.java:1071)
		at hudson.FilePath.act(FilePath.java:1060)
		at hudson.plugins.selenium.process.SeleniumJarRunner.start(SeleniumJarRunner.java:42)
		at hudson.plugins.selenium.configuration.global.SeleniumGlobalConfiguration.start(SeleniumGlobalConfiguration.java:50)
		at hudson.plugins.selenium.PluginImpl.startSeleniumNode(PluginImpl.java:503)
		at hudson.plugins.selenium.ComputerListenerImpl.onOnline(ComputerListenerImpl.java:30)
		at hudson.slaves.SlaveComputer.setChannel(SlaveComputer.java:693)
		at hudson.slaves.SlaveComputer.setChannel(SlaveComputer.java:432)
		at hudson.plugins.ec2.win.EC2WindowsLauncher.launch(EC2WindowsLauncher.java:70)
		at hudson.plugins.ec2.EC2ComputerLauncher.launch(EC2ComputerLauncher.java:122)
		at hudson.slaves.SlaveComputer$1.call(SlaveComputer.java:294)
		at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
		at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)
		at java.util.concurrent.FutureTask.run(FutureTask.java:266)
		at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
		at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
		at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Failed to deserialize response to UserRequest:hudson.FilePath$CopyTo@3adba329: java.lang.SecurityException: agent may not read <JENKINS_HOME>/plugins/selenium/WEB-INF/lib/selenium-server-standalone-3.12.0.jar
See https://jenkins.io/redirect/security-144 for more details
	at hudson.remoting.Channel.call(Channel.java:963)
	at hudson.FilePath.act(FilePath.java:1071)
	at hudson.FilePath.act(FilePath.java:1060)
	at hudson.FilePath.copyTo(FilePath.java:2275)
	at hudson.FilePath.copyTo(FilePath.java:2230)
	... 11 more
Caused by: java.lang.SecurityException: agent may not read <JENKINS_HOME>/plugins/selenium/WEB-INF/lib/selenium-server-standalone-3.12.0.jar
See https://jenkins.io/redirect/security-144 for more details
	at jenkins.SoloFilePathFilter.noFalse(SoloFilePathFilter.java:33)
	at jenkins.SoloFilePathFilter.read(SoloFilePathFilter.java:43)
	at hudson.FilePath.reading(FilePath.java:3218)
	at hudson.FilePath.access$300(FilePath.java:212)
	at hudson.FilePath$CopyTo.invoke(FilePath.java:2289)
	at hudson.FilePath$CopyTo.invoke(FilePath.java:2281)
	at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3085)
	at hudson.remoting.UserRequest.perform(UserRequest.java:212)
	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
	at hudson.remoting.Request$2.run(Request.java:369)
	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
	at org.jenkinsci.remoting.CallableDecorator.call(CallableDecorator.java:19)
	at hudson.remoting.CallableDecoratorList$1.call(CallableDecoratorList.java:21)
	at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
	at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
	Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to channel
		at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1741)
		at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357)
		at hudson.remoting.Channel.call(Channel.java:955)
		at hudson.FilePath.act(FilePath.java:1071)
		at hudson.FilePath.act(FilePath.java:1060)
		at hudson.FilePath.copyTo(FilePath.java:2275)
		at hudson.FilePath.copyTo(FilePath.java:2230)
		at hudson.plugins.selenium.callables.SeleniumCallable.invoke(SeleniumCallable.java:76)
		at hudson.plugins.selenium.callables.SeleniumCallable.invoke(SeleniumCallable.java:23)
		at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3085)
		at hudson.remoting.UserRequest.perform(UserRequest.java:212)
		at hudson.remoting.UserRequest.perform(UserRequest.java:54)
		at hudson.remoting.Request$2.run(Request.java:369)
		at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
		at java.util.concurrent.FutureTask.run(Unknown Source)
		at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
		at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
		at java.lang.Thread.run(Unknown Source)

patcadelina avatar Sep 27 '18 06:09 patcadelina

I had a quick look at implementing this. As far as I can tell this is non-trivial so I don't know if I'll have time for it.

rouke-broersma avatar May 17 '19 08:05 rouke-broersma