this security non sense is getting annoying, anyway I can workaround by writing the file on the master anyway. But since you can run almost anything into a python/perl/bash/batch... scripts, the security should be at the scripts trust not what it's content in the end, if you trust the source and ensure the script is a trusted user/server, no need to go at every details of the scripts operation. We should have a way to sign and trust Jenkinsfile script and be done with the security. Try to secure each and every call inside the script language when you can call sh or bat is a false security.
I don't known how to do it exactly right off the bat, but my guess it's make more sense. Preventing me from doing a file operation for security purpose into Groovy, but I can call sh todo it anyway doesn't give much except frustration. I totally fail to see why something like: - new java.util.Date - method java.util.Map containsKey java.lang.Object - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods leftShift java.util.Map java.util.Map - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods minus java.lang.String java.lang.Object - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods plus java.util.List java.lang.Iterable - - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods plus java.util.List java.util.Collection - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods plus java.util.Map java.util.Map - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods println groovy.lang.Closure java.lang.Object are security risk?!? seriously, I call bullshit. Just do yourself a favor and call whatever you want to do into sh or python and do it anyway. And even if it would want to check if the process do something illegal, we still could launch other process/pipe from those command and nothing could be really done or known. As long as the Jenkins user have limited privilege on the machine and you trust the Jenkinsfile (some kind of certificate maybe). This false security is grabbing way too much ground over the features/usability ground and that's sad, the concept is good but start to feel like it's going down the rabbit hole. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c7742dbf-0e22-486d-b2ae-2eb7d40af307%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
