Security¶

The only known security concerns are as follows:

1. When Jenkins jobs are derived from jenni.models.PythonPipelineJobBase, as implemented at the time of writing using a plain http server listener (see file stepserver.py jenni.stepserver), then sensitive data could possibly be obtained if network traffic on the loopback network could be captured, due to http being used.

2. The stepserver listens on localhost and an attacker could craft a malicious request that would cause a security incident.

Thus do not use jenni.models.PythonPipelineJobBase in an environment where the above issues could arise.

Pipeline Execution Step Server¶

A POC. See above for security concerns.

class jenni.stepserver.SimpleHTTPRequestHandler(request, client_address, server)[source]¶

do_POST()[source]¶

log_request(code='-', size='-')[source]¶

Log an accepted request.

This is called by send_response().

jenni.stepserver.execute_groovy(s, exit_status=None)[source]¶

jenni.stepserver.get_free_port() → int[source]¶

jenni.stepserver.start_server()[source]¶

Security¶

Pipeline Execution Step Server¶

Jenni

Navigation

Related Topics