[JENKINS-65237] Bump Groovy from 2.4.12 to 2.4.21 #5939
Conversation
basil
added
dependencies
basil
changed the title
There was a problem hiding this comment.
I…guess this is OK. I looked over the changelogs and did not see anything alarming. I scanned through the aggregate diff looking at source files which would be relevant to groovy-sandbox and did not see anything alarming there either, though of course there were a lot of detailed changes that I could not follow. @dwnusbaum is probably in the best position to review this.
|
I was looking into this bump a while back and this is what I had found going through the changelogs. Nothing earth shattering, of course this was just changelogs, not actual code changes. |
There was a problem hiding this comment.
@dwnusbaum is probably in the best position to review this.
🤷♂️ I looked through the changes and everything is probably harmless, but I don't know for sure. There are some bug fixes and subtle changes to method/property selection-related code like apache/groovy@cf51a3f where I think it is pretty hard to tell at a glance whether the issue being fixed is relevant to us without a more detailed investigation, i.e. do groovy-sandbox and groovy-cps intercept the right thing after the fix, or do they at least behave the same way with both versions of Groovy? In general I am not concerned about functional regressions, but about potential security issues due to behavior changes in things that could not have been tested because they did not work previously.
GROOVY-8539 is slightly interesting in that no one could have ever used compound assignment syntax for boolean arrays before the fix, so it has never been tested in groovy-sandbox or groovy-cps, but I did a quick test locally and everything seems to be intercepted as expected with 2.4.21.
GROOVY-8428 appears to be the only new APIs that could be relevant to Jenkins users. I think it would make sense to add them to generic-whitelist in script-security when groovy-sandbox is updated assuming the Jenkins baseline in the plugin is updated as well.
I ran each test case from apache/groovy@cf51a3f through |
Yes, sorry I should have clarified that I did that as well before I wrote my comment, but it is not obvious to me whether the tests in question cover all relevant code paths, or only cover the most direct code path that shows the difference. Metaprogramming-related Groovy APIs are forbidden in the Jenkins sandbox, so those tests as-is are not really relevant to us. The thing that is not clear to me is whether the change affects otherwise normal attribute access, e.g. I am not blocking this, all I mean is that I cannot give a meaningfully more detailed review beyond what you and Jesse have already done by looking at the commits and changelogs without spending significantly more time looking through everything and doing some exploratory testing. If everyone thinks that we need a detailed review like that, I can ask my employer whether I can spend a couple of days really looking into this, but otherwise all I can say is that the update seems like it would probably be fine but I'm not completely sure. |
Thanks for the quick reply! I appreciate the concerns that have been raised, but is it possible we might be overthinking this? If there are any issues with this upgrade between now and the next LTS, we can always simply revert this PR. We are at the beginning of a new LTS cycle, so my vote would be to merge this PR and monitor Jira for reported regressions. If issues are discovered, we can revert this PR and then go through the detailed process you are describing. What do you think? |
Yeah, I am not really worried about functional regressions, since I think our test coverage is decent for most typical use cases, if some obscure case breaks there's a decent chance that it's something we don't really want people to be doing anyway, and if some common scenario breaks then reverting is no big deal like you said. My concern is pretty much solely in relation to introducing potential security vulnerabilities, since I think these are extremely unlikely to affect regular usage and so will go unnoticed unless someone is actively looking for them. I don't see anything obviously concerning here, unlike say a 3.x upgrade where there is lots of new syntax that would obviously need to be tested, but the sandbox escapes we have seen can be pretty subtle, so I just want to make sure that I do not imply that I have thoroughly reviewed every single change in the update looking for sandbox-related issues. |
I think https://www.jenkins.io/security/advisory/2019-11-21/#SECURITY-1658 or https://www.jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 are examples of that? |
|
2.4.14 adds |
#5939 (review) says that we can add those to the allow list when bumping the version there but it doesn’t block this |
Well, not just the sandbox whitelist, but the list of DGM methods to process—if anyone ever cares. cloudbees/groovy-cps#115 (comment) |
|
The new methods don’t have a Closure parameter, so I don’t think there is
any reason to translate them.
…On Thu, Dec 2, 2021 at 09:09 Jesse Glick ***@***.***> wrote:
we can add those to the allow list
Well, not just the sandbox whitelist, but the list of DGM methods to
process—if anyone ever cares. cloudbees/groovy-cps#115 (comment)
<cloudbees/groovy-cps#115 (comment)>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5939 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIE7KHEEODNYULYWYEED73UO54XXANCNFSM5IOJ7BJA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
basil
added
the
squash-merge-me
There was a problem hiding this comment.
There is still some risk of setting Pipeline and Script Security on fire again, but the best possible effort was done to prevent regressions. Based on that, I am +1 for merging. Taking lack of blocking negative feedback, I will mark it as ready for merge
We may merge it in 24 hours if there is no negative feedback. Please see the merge process documentation for more information about the merge process
oleg-nenashev
added
ready-for-merge
See JENKINS-65237 and jenkinsci/jenkins#5116 (comment). Upgrades Groovy from 2.4.12 to 2.4.21. Changelogs:
The changelogs and apache/groovy@GROOVY_2_4_12...GROOVY_2_4_21 did not appear to contain anything frightening.
Testing done
groovy-sandboxtests passgroovy-cpstests pass (ran locally)Fixes jenkinsci/configuration-as-code-plugin#1703
Proposed changelog entries
Upgrade Groovy from 2.4.12 (released on June 21, 2017) to 2.4.21 (released on November 29, 2020).
Proposed upgrade guidelines
N/A
Submitter checklist
Proposed changelog entriessection only if there are breaking changes or other changes which may require extra steps from users during the upgradeDesired reviewers
@mention
Maintainer checklist
Before the changes are marked as
ready-for-merge:Proposed changelog entriesare correctupgrade-guide-neededlabel is set and there is aProposed upgrade guidelinessection in the PR title. (example)lts-candidateto be considered (see query).