Security issue with the plugin

[oh-rajendra]

Jenkins and plugins versions report

Warning: This plugin version may not be safe to use. Please review the following security notices:
Stored XSS vulnerability
Stored XSS vulnerability
Arbitrary JSON and property file read vulnerability
CSRF vulnerability and missing permission checks allow SSRF

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

Warning: This plugin version may not be safe to use. Please review the following security notices:
Stored XSS vulnerability
Stored XSS vulnerability
Arbitrary JSON and property file read vulnerability
CSRF vulnerability and missing permission checks allow SSRF

Expected Results

Warning: This plugin version may not be safe to use. Please review the following security notices:
Stored XSS vulnerability
Stored XSS vulnerability
Arbitrary JSON and property file read vulnerability
CSRF vulnerability and missing permission checks allow SSRF

Actual Results

Warning: This plugin version may not be safe to use. Please review the following security notices:
Stored XSS vulnerability
Stored XSS vulnerability
Arbitrary JSON and property file read vulnerability
CSRF vulnerability and missing permission checks allow SSRF

Anything else?

No response

[Ralkage]

Are these security issues being addressed?

[oh-rajendra]

They are not, there is no fix on any update. Please fix this security issue, or we will have to find an alternative of this plugin.

[chonton]

These issues are tracked elsewhere.
Pull requests are welcome.

[oh-rajendra]

@chonton can you please tell me where these issues are tracked.

[chonton]

https://issues.jenkins.io/browse/JENKINS-68096

[Wld1122]

any update for this?

[chonton]

Little visible progress. I have some hard decisions to make. Specifically, do I continue to support

• reading configuration from property files
• reading configuration from groovy
• save input result to a property file

I an conflicted. I don't want to remove functionality that is used by many jobs, but these options are inherently unsafe.

With Jenkinsfile scripting, these options can easily be handled by pipeline steps

@Ralkage, @oh-rajendra, @Wld1122, @turbolocust - Any thoughts on removing property file and/or groovy functionality?

[xjjx]

Please do not remove groovy support. This is so useful feature.

[chonton]

Useful, maybe. However, there are much better ways for a pipeline or freeform job to execute a groovy script. And, these alternatives have solved the security issues.

[xjjx]

Hmm, I don't know what is freeform, can you provide some link with documentation to this?
My example use case for this plugin is that: We have a single select list of nodes and groovy script to generate that list is like
import jenkins.model.* def J = Jenkins.get() def l = J.getLabel('label1||label2') List<String> nodes = l.getNodes().collect { it.getNodeName() } return nodes.join(',')

So this is executed before the pipeline even starts, just right after user click "Build with parameters" button.

[julienlavergne]

@chonton
In order to be given options, could you create another version of the plugin that removes these problematic features and mark the plugin as deprecated?

[SylivanKenobi]

I think it should be removed. If there is really a need for this functionality people can either fork the repo or just not update to the version without these features.