The pipeline library on ci.jenkins.io is a good example of a library written to safely handle pull requests which might be malicious. Refer to isTrusted <https://github.com/jenkins-infra/pipeline-library/blob/master/README.adoc#infraistrusted> and how it is used to safeguard operations.
I believe ci.jenkins.io jobs are also configured to not allow Jenkinsfile to be used from the target branch even for pull requests. That avoids the risk of a pull request submitted which executes a malicious Jenkinsfile. On Fri, May 17, 2019 at 1:03 AM Simon Richter <simon.rich...@hogyros.de> wrote: > Hi, > > On Thu, May 16, 2019 at 12:11:54PM -0700, Christopher Weaver wrote: > > > For a project I work on, we have set up Jenkins, using the GitHub Branch > > Source Plugin, to do automatic builds for pushes to our repository, > > including test builds for pull requests. This is all working, but I am > > concerned about the security implications for the pull requests. > > Yes, that is a common problem. Most people either only test pull requests > from trusted people, or configure Jenkins to test inside a container with > no network access and strict resource limits that is discarded after the > build. > > Simon > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/20190517080348.GA17598%40psi5.com > . > For more options, visit https://groups.google.com/d/optout. > -- Thanks! Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtHAT5tbH9%3Df%2BZEYJ%3DsO-6RisYM0spTQH9PKgu31WMCpmQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
