Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get
, and that has a String
, int
, long
, or no argument can be invoked this way on objects that are reachable through these means. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way.
The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows methods and fields to be excluded from routing. The implementation of that SPI in Jenkins now restricts which getter methods, do*
action methods, and fields can be invoked reflectively by Stapler. Further details are available in the documentation:
Making Object Accessible via Stapler (for plugin developers)
Web Methods (for plugin developers)
Restricting HTTP Access to AccessControlled Objects (for plugin developers)
This change is expected to impact existing functionality in some plugins. The most likely effect is that some URLs now return 404 Not Found
. In rare cases, the responses returned might not be 404 Not Found
, but still different than expected.
Affected plugins
The table below provides a list of plugin which were affected by the SECURITY-595 fix in Jenkins 2.138.4 and 2.154. "Status" column reflects the current state. Note that this list is not exhaustive.
If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. If possible, include the necessary whitelist entry (or entries) to make the feature work.
More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.
Possibly Unsafe
Please note that not all whitelist additions listed on this page may be safe to apply.
Plugin Name | Impact / behavior | Whitelist addition | Issue / pull request | Status |
---|---|---|---|---|
Git Plugin |
|
| n/a | Functionality only available after adding this whitelist entry. |