[JENKINS-70870] Save libraries as JAR files rather than unpacked by jglick · Pull Request #57 · jenkinsci/pipeline-groovy-lib-plugin

jglick · 2023-03-03T02:18:44Z

JENKINS-70870

~~Subsumes #55. Incremental diff: jglick/pipeline-groovy-lib-plugin@SCMSourceRetriever.clone...dir2Jar~~

refine symlink behavior [JENKINS-70870] Save libraries as JAR files rather than unpacked #57 (comment)

…onicalize` any more

…cache maintenance

…ce more conservatively

jglick · 2023-03-04T21:50:26Z

there seems to be a real leak

openjdk/jdk#12871 though as of a14ed45 it no longer matters here.

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java

…e by design)

…rly deleting its source; anyway it needed to be refactored to be simpler and more efficient by directly archiving the desired files

…ning about missing sources

…st-read file rather than a JAR

…`clone`

jglick · 2023-03-08T22:49:49Z

src/main/java/org/jenkinsci/plugins/workflow/cps/global/UserDefinedGlobalVariable.java

-            // Util.escape translates \n but not \r, and we do not know what platform the library will be checked out on:
-            replace("\r\n", "\n"));
+        try {
+            return Jenkins.get().getMarkupFormatter().translate(


(suppress whitespace changes when reviewing)

…raryRecord.directoryName` to avoid use of `$JENKINS_HOME` in `program.dat`

jtnord

Code looks ok.

dwnusbaum · 2023-03-13T17:58:34Z

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryRetriever.java

+                    Path target = Path.of(dir.getRemote(), link).toRealPath();
+                    if (!target.startsWith(Path.of(root.getRemote()))) {


Does this behave as expected if JENKINS_HOME itself is a symlink? See for example jenkinsci/workflow-cps-global-lib-plugin#139. Also, toRealPath will throw an exception if the link target does not exist, which may be undesirable from a security standpoint.

Does this behave as expected if JENKINS_HOME itself is a symlink?

No idea offhand; I suppose we have no test coverage for such cases.

toRealPath will throw an exception if the link target does not exist, which may be undesirable

I think it is fine. If there is no such target, we want to fail one way or the other.

I suppose we have no test coverage for such cases.

I don't think so. Based on the number of reports I got from the related security fix though, it is a surprisingly common scenario. Safest to use File.getCanonicalFile / File.getCanonicalPath on both the link and root.

If there is no such target, we want to fail one way or the other.

Yeah, but the interesting thing about toRealPath vs just comparing the canonical paths is that toRealPath allows an attacker to probe the existence of arbitrary files on the controller's file system.

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryCachingCleanup.java

Co-authored-by: Devin Nusbaum <[email protected]>

…ib-plugin into dir2Jar

…-lib-plugin into dir2Jar

jglick added 2 commits March 2, 2023 21:18

Sketch of saving libraries as JAR files rather than unpacked

62562ac

Incremental deployment of jenkinsci/workflow-cps-plugin#668

c02ed47

jglick mentioned this pull request Mar 3, 2023

[JENKINS-70869] New option “clone” option to SCM-based retrievers to avoid workspace/xxx@libs/ #55

Merged

5 tasks

jglick added 8 commits March 3, 2023 12:06

Avoiding an extraneous empty dir

e5e95d0

Nicer name for temp checkout dir

8598f5e

Simpler handling of LoadedClasses.srcUrl; no apparent need for `can…

10155ea

…onicalize` any more

e5e95d0 & 8598f5e applied also to LibraryRetriever compat code

0a2ed44

Support for resuming builds

fec1f4e

Fixing ResourceStep

3cd3102

Clearer name for GLOBAL_LIBRARIES_DIR

e2b6276

Switching *-name.txt to a manifest attribute; and fixes related to …

f9be590

…cache maintenance

jglick changed the title ~~Sketch of saving libraries as JAR files rather than unpacked~~ Save libraries as JAR files rather than unpacked Mar 3, 2023

jglick added the enhancement New feature or request label Mar 3, 2023

This comment was marked as resolved.

Sign in to view

jglick mentioned this pull request Mar 4, 2023

Better CodeSource.location for Groovy loaded from JARs jenkinsci/workflow-cps-plugin#668

Closed

Giving up on jenkinsci/workflow-cps-plugin#668 and tracking code sour…

a14ed45

…ce more conservatively

jglick mentioned this pull request Mar 4, 2023

[JENKINS-69573] retrieve sources in tmpdir and rename #58

Open

6 tasks

jglick added 3 commits March 6, 2023 07:28

May as well pick up jenkinsci/workflow-cps-plugin#667

1783fb0

Comment obsolete as of a14ed45

3062a97

Properly migrating running builds crossing the update line

859dad1

jglick commented Mar 6, 2023

View reviewed changes

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java Show resolved Hide resolved

Restoring SECURITY-2479 defense (SECURITY-2476 is no longer vulnerabl…

6ba9d43

…e by design)

jglick mentioned this pull request Mar 6, 2023

Call GroovyClassLoader.close also if build never starts jenkinsci/workflow-cps-plugin#672

Merged

jglick added 6 commits March 6, 2023 13:21

SCMSourceRetrieverTest.lease highlighted that dir2Jar was imprope…

fa82612

…rly deleting its source; anyway it needed to be refactored to be simpler and more efficient by directly archiving the desired files

Incremental build of jenkinsci/workflow-cps-plugin#672

75f2cae

Restoring support for INCLUDE_SRC_TEST_IN_LIBRARIES, as well as war…

5bbb1ed

…ning about missing sources

Adapting cloneModeExcludeSrcTest to revised message

0a7ccb4

Fixing vars/*.txt

20729d2

safeSymlinks broken by requirement to have at least one source file

29a8848

jglick added 4 commits March 6, 2023 15:42

SpotBugs

d1f3aca

LibraryCachingCleanup was unreliable as it sometimes deleted the la…

840cd60

…st-read file rather than a JAR

Merged doClone back into doRetrieve for clarity

0aa22f4

Introduced SCMBasedRetriever, permitting SCMRetriever to support …

743db17

…`clone`

This comment was marked as resolved.

Sign in to view

jglick mentioned this pull request Mar 6, 2023

[JENKINS-70869] More efficient JarURLConnection implementation jenkinsci/workflow-cps-plugin#673

Merged

jglick added 3 commits March 6, 2023 19:00

Also need class="${descriptor.clazz}"

444bde7

Skip new symlink unit tests on Windows

992eeaa

Pick up jenkinsci/workflow-cps-plugin#673

b7bd774

jglick mentioned this pull request Mar 7, 2023

Pretesting changes to pipeline-groovy-lib jenkinsci/bom#1832

Closed

jglick added 2 commits March 8, 2023 13:44

Also recommend CloneOption.noTags

10623dd

CloneOption.honorRefspec can also be useful

698ae68

jglick commented Mar 8, 2023

View reviewed changes

jglick added 3 commits March 9, 2023 11:58

Migrate LoadedClasses.srcUrl, and switching persisted field to `Lib…

77aea3e

…raryRecord.directoryName` to avoid use of `$JENKINS_HOME` in `program.dat`

SpotBugs

2fb8ed9

jenkinsci/workflow-cps-plugin#673 released

6acba02

jglick marked this pull request as ready for review March 9, 2023 23:32

jglick requested a review from a team as a code owner March 9, 2023 23:32

jtnord approved these changes Mar 13, 2023

View reviewed changes

dwnusbaum approved these changes Mar 13, 2023

View reviewed changes

Also delete lastReadFile when clearing cache

23125c9

Co-authored-by: Devin Nusbaum <[email protected]>

jglick marked this pull request as draft March 13, 2023 19:42

jglick added 3 commits March 24, 2023 09:29

Merge branch 'SCMSourceRetriever.clone' into dir2Jar

68d2a33

Merge branch 'dir2Jar' of https://github.com/jglick/pipeline-groovy-l…

d2c5eff

…ib-plugin into dir2Jar

Removing some minor differences to SCMSourceRetriever.clone

157d6f0

jglick changed the title ~~Save libraries as JAR files rather than unpacked~~ [JENKINS-70869] Save libraries as JAR files rather than unpacked Mar 24, 2023

Merge branch 'master' of https://github.com/jenkinsci/pipeline-groovy…

d608664

…-lib-plugin into dir2Jar

jglick changed the title ~~[JENKINS-70869] Save libraries as JAR files rather than unpacked~~ [JENKINS-70870] Save libraries as JAR files rather than unpacked Jun 9, 2023

rsandell approved these changes Apr 2, 2024

View reviewed changes

jtnord mentioned this pull request May 17, 2024

[JENKINS-69573] Delete versionCacheDir if retrieve fails #125

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[JENKINS-70870] Save libraries as JAR files rather than unpacked#57

[JENKINS-70870] Save libraries as JAR files rather than unpacked#57
jglick wants to merge 46 commits intojenkinsci:masterfrom
jglick:dir2Jar

jglick commented Mar 3, 2023 •

edited

Loading

Uh oh!

This comment was marked as resolved.

jglick commented Mar 4, 2023

Uh oh!

Uh oh!

This comment was marked as resolved.

jglick Mar 8, 2023

Uh oh!

jtnord left a comment

Uh oh!

dwnusbaum Mar 13, 2023

Uh oh!

jglick Mar 13, 2023

Uh oh!

dwnusbaum Mar 13, 2023

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

		Path target = Path.of(dir.getRemote(), link).toRealPath();
		if (!target.startsWith(Path.of(root.getRemote()))) {

Uh oh!

Conversation

jglick commented Mar 3, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment was marked as resolved.

jglick commented Mar 4, 2023

Uh oh!

Uh oh!

This comment was marked as resolved.

jglick Mar 8, 2023

Choose a reason for hiding this comment

Uh oh!

jtnord left a comment

Choose a reason for hiding this comment

Uh oh!

dwnusbaum Mar 13, 2023

Choose a reason for hiding this comment

Uh oh!

jglick Mar 13, 2023

Choose a reason for hiding this comment

Uh oh!

dwnusbaum Mar 13, 2023

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

jglick commented Mar 3, 2023 •

edited

Loading