SECURITY-3505

Author: steven-terrana

.github/ISSUE_TEMPLATE/bug-report.yaml

@@ -19,7 +19,7 @@ body:
   attributes:
     label: JTE Version
     description: What version of JTE is installed?
-    options: [ 2.5.3, 2.5.2, 2.5.1, 2.5, 2.4 , 2.3, 2.2.2, 2.2.1, 2.1, 2.0.4, 2.0.3, 2.0.2, 2.0.1, 2.0, 1.7.1, 1.7, 1.6, 1.5.2, 1.5.1, 1.5, 1.4.2, 1.4.1, 1.4, 1.3, 1.2, 1.1.1, 1.1, 1.0 ]
+    options: [ 2.5.4, 2.5.3, 2.5.2, 2.5.1, 2.5, 2.4 , 2.3, 2.2.2, 2.2.1, 2.1, 2.0.4, 2.0.3, 2.0.2, 2.0.1, 2.0, 1.7.1, 1.7, 1.6, 1.5.2, 1.5.1, 1.5, 1.4.2, 1.4.1, 1.4, 1.3, 1.2, 1.1.1, 1.1, 1.0 ]
   validations:
     required: true
 - type: textarea

build.gradle

@@ -14,7 +14,7 @@ repositories {
 }
 
 group = 'org.jenkins-ci.plugins'
-version = '2.5.3'
+version = '2.5.4'
 description = 'Allows users to create tool-agnostic, templated pipelines to be shared by multiple teams'
 
 jenkinsPlugin {

src/main/groovy/org/boozallen/plugins/jte/init/primitives/injectors/LibraryStepInjector.groovy

@@ -21,6 +21,7 @@ import org.boozallen.plugins.jte.init.governance.config.dsl.PipelineConfiguratio
 import org.boozallen.plugins.jte.init.governance.GovernanceTier
 import org.boozallen.plugins.jte.init.governance.libs.LibraryProvider
 import org.boozallen.plugins.jte.init.governance.libs.LibrarySource
+import org.boozallen.plugins.jte.init.governance.TemplateGlobalConfig
 import org.boozallen.plugins.jte.init.primitives.TemplatePrimitiveInjector
 import org.boozallen.plugins.jte.init.primitives.TemplatePrimitiveNamespace
 import org.boozallen.plugins.jte.util.AggregateException
@@ -76,7 +77,15 @@ import org.jenkinsci.plugins.workflow.job.WorkflowJob
     @Override
     TemplatePrimitiveNamespace injectPrimitives(CpsFlowExecution exec, PipelineConfigurationObject config){
         FlowExecutionOwner flowOwner = exec.getOwner()
-        // fetch library providers and determine library resolution order
+
+        // Get global tier libraries first
+        GovernanceTier globalTier = TemplateGlobalConfig.get().getTier()
+        Set<LibraryProvider> globalProviders = []
+        if(globalTier?.getLibrarySources()) {
+            globalProviders.addAll(globalTier.getLibrarySources().collect { source -> source.getLibraryProvider() } - null)
+        }
+
+        // fetch all library providers and determine library resolution order
         List<LibraryProvider> providers = getLibraryProviders(flowOwner)
         boolean reverseProviders = config.jteBlockWrapper.reverse_library_resolution
         if(reverseProviders) {
@@ -106,8 +115,13 @@ import org.jenkinsci.plugins.workflow.job.WorkflowJob
             String includes = "${libName}/${LibraryProvider.STEPS_DIR_NAME}/**/*.groovy"
             TemplatePrimitiveNamespace library = new TemplatePrimitiveNamespace(name: libName)
             library.setParent(libCollector)
+
+            // Find the provider for this library
+            LibraryProvider provider = providers.find{ p -> p.hasLibrary(flowOwner, libName) }
+            boolean isSandboxed = !globalProviders.contains(provider)
+
             jteDir.list(includes).each{ stepFile ->
-                StepWrapper step = stepFactory.createFromFilePath(stepFile, libName, libConfig)
+                StepWrapper step = stepFactory.createFromFilePath(stepFile, libName, libConfig, isSandboxed)
                 List<StepAlias> aliases = getStepAliases(step)
                 if(aliases.isEmpty() || shouldKeepOriginal(aliases)) {
                     step.setParent(library)

src/main/groovy/org/boozallen/plugins/jte/init/primitives/injectors/StepWrapper.groovy

@@ -79,6 +79,7 @@ class StepWrapper extends TemplatePrimitive implements Serializable{
     protected boolean isLibraryStep  = false
     protected boolean isDefaultStep  = false
     protected boolean isTemplateStep = false
+    protected boolean isSandboxed = true
 
     @SuppressWarnings("UnusedMethodParameter")
     Object getValue(CpsScript script, Boolean skipOverloaded = false){
@@ -127,6 +128,10 @@ class StepWrapper extends TemplatePrimitive implements Serializable{
         return stepContext.library
     }
 
+    void setSandboxed(boolean sandboxed){
+        this.isSandboxed = sandboxed
+    }
+
     /**
      * recompiles the StepWrapperScript if missing. This typically only happens if
      * Jenkins has ungracefully restarted and the pipeline is resuming

src/main/groovy/org/boozallen/plugins/jte/init/primitives/injectors/StepWrapperFactory.groovy

@@ -53,15 +53,16 @@ class StepWrapperFactory{
      * @param config the library configuration for the step
      * @return a StepWrapper instance
      */
-    StepWrapper createFromFilePath(FilePath filePath, String library, Map config){
+    StepWrapper createFromFilePath(FilePath filePath, String library, Map config, Boolean isSandboxed){
         String name = filePath.getBaseName()
         String sourceText = filePath.readToString()
         StepContext stepContext = new StepContext(library: library, name: name, isAlias: false)
         StepWrapper step = new StepWrapper(
             stepContext: stepContext,
             config: config,
             sourceFile: filePath.absolutize().getRemote(),
-            isLibraryStep: true
+            isLibraryStep: true,
+            isSandboxed: isSandboxed
         )
         StepWrapperScript script = prepareScript(step, sourceText)
         step.setScript(script)
@@ -151,7 +152,12 @@ class StepWrapperFactory{
 
         @groovy.transform.BaseScript ${StepWrapperScript.getName()} _
         """
-        GroovyShell shell = exec.getTrustedShell()
+        GroovyShell shell
+        if (step.isSandboxed){
+            shell = exec.getShell()
+        } else {
+            shell = exec.getTrustedShell()
+        }
         String scriptName = "JTE_${step.library ?: "Default"}_${step.name}"
         try {
             try {
@@ -212,6 +218,12 @@ class StepWrapperFactory{
             }
         }
 
+        @Override
+        void customizeImports(CpsFlowExecution execution, ImportCustomizer ic) {
+            ic.addStarImports("org.boozallen.plugins.jte.init.primitives.hooks")
+            ic.addImport(StepAlias.getName())
+        }
+
         GroovyShellDecorator forTrusted(){
             return new GroovyShellDecorator() {
                 @Override

src/test/groovy/org/boozallen/plugins/jte/init/primitives/injectors/LibraryStepInjectorSpec.groovy

@@ -148,7 +148,7 @@ class LibraryStepInjectorSpec extends Specification {
         jenkins.assertLogContains("folder step", run)
     }
 
-    def "library on higher governance tier (last in hierarchy array) gets loaded if library override set to false"() {
+    def "library on higher governance tier last in hierarchy array gets loaded if library override set to false"() {
         given:
         // add global
         TestLibraryProvider lib = new TestLibraryProvider()
@@ -179,4 +179,50 @@ class LibraryStepInjectorSpec extends Specification {
         jenkins.assertLogContains("global step", run)
     }
 
+    def "folder library steps are sandboxed"() {
+        given:
+        // add folder
+        TestLibraryProvider lib2 = new TestLibraryProvider()
+        lib2.addStep("lib", "step", """
+        import jenkins.model.Jenkins
+        void call(){
+          println Jenkins.get().getRootUrl()
+        }
+        """)
+        Folder folder = jenkins.createProject(Folder)
+        lib2.addToFolder(folder)
+        // create job
+        WorkflowJob job = TestUtil.createAdHocInFolder(folder,
+          config: 'libraries{ lib }',
+          template: 'step()'
+        )
+        when:
+        def run = job.scheduleBuild2(0).get()
+        then:
+        jenkins.assertBuildStatus(Result.FAILURE, run)
+        jenkins.assertLogContains("Scripts not permitted to use staticMethod jenkins.model.Jenkins get", run)
+    }
+
+    def "global library steps are not sandboxed"() {
+        given:
+        // add folder
+        TestLibraryProvider lib2 = new TestLibraryProvider()
+        lib2.addStep("lib", "step", """
+        import jenkins.model.Jenkins
+        void call(){
+          println Jenkins.get().getRootUrl()
+        }
+        """)
+        lib2.addGlobally()
+        // create job
+        WorkflowJob job = TestUtil.createAdHoc(jenkins,
+          config: 'libraries{ lib }',
+          template: 'step()'
+        )
+        when:
+        def run = job.scheduleBuild2(0).get()
+        then:
+        jenkins.assertBuildStatusSuccess(run)
+    }
+
 }