[jenkinsci/gerrit-code-review-plugin] f88f83: Typo fixes

Fri, 14 Jun 2019 05:19:49 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/jenkinsci/gerrit-code-review-plugin
  Commit: f88f8341f50eb3dbb843cc92538a0aa481314c53
      
https://github.com/jenkinsci/gerrit-code-review-plugin/commit/f88f8341f50eb3dbb843cc92538a0aa481314c53
  Author: Zhao Xiaojie <linuxsu...@gmail.com>
  Date:   2019-04-11 (Thu, 11 Apr 2019)

  Changed paths:
    M README.md

  Log Message:
  -----------
  Typo fixes


  Commit: e6c56b7cda00d54a31bdc74117dcbd5013fc2612
      
https://github.com/jenkinsci/gerrit-code-review-plugin/commit/e6c56b7cda00d54a31bdc74117dcbd5013fc2612
  Author: Jon Sten <j...@axis.com>
  Date:   2019-06-13 (Thu, 13 Jun 2019)

  Changed paths:
    M README.md
    M src/main/java/jenkins/plugins/gerrit/GerritWebHook.java

  Log Message:
  -----------
  Running web hook as System ACL

For locked down Jenkins instances this is a must. In our case anonymous
doesn't have overall read access and this nothing happens when gerrit
pushes to the notification URL. This change changes so that the system
ACL is used during resolution of which jobs to trigger.

As with every privilege escalation one should ask oneself if it is safe
and necessary. In this case I would say that it is necessary, since it
makes it possible to use this plugin in locked down enterprise
situations. The change should also be safe, during privilege
escalation noting is written to the caller, which means that no
information about job names or folder setup can be leaked due to this
change. Additionally the only place where the callers input is used, is
during check if the remote URL equals the job remote URL, and that is
done using regular string operations. This should lead to a very small
attack surface.

Change-Id: Icac60435abd77ff462f72cfc1dbe831c768c8a90


Compare: 
https://github.com/jenkinsci/gerrit-code-review-plugin/compare/e626a37c6885...e6c56b7cda00

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/gerrit-code-review-plugin/push/refs/heads/master/e626a3-e6c56b%40github.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to