Skip to content

Latest commit

 

History

History
51 lines (44 loc) · 5.38 KB

threat-modeling.md

File metadata and controls

51 lines (44 loc) · 5.38 KB

Threat Model Analysis for jenkinsci/pipeline-model-definition-plugin

Threat: Arbitrary Code Execution via Jenkinsfile Injection

  • Description: An attacker with the ability to modify a Jenkinsfile (either directly or through a compromised SCM) injects arbitrary Groovy code into the pipeline definition. This code is then executed by the Jenkins master or agent during pipeline execution, as the plugin parses and executes the Jenkinsfile content. The attacker leverages the plugin's core functionality of interpreting the Declarative Pipeline syntax.
  • Impact: Complete compromise of the Jenkins master and/or agent nodes. This allows for data exfiltration, credential theft, lateral movement, and control over systems managed by Jenkins.
  • Affected Component:
    • org.jenkinsci.plugins.pipeline.modeldefinition.parser.Converter (and related parsing classes): These are the core components responsible for parsing the Jenkinsfile and are directly involved in the vulnerability.
    • WorkflowScript: Represents the compiled pipeline script; the attacker's code becomes part of this.
    • Groovy CPS (if disabled or bypassed): While CPS is a mitigation, its absence or failure directly enables this threat within the plugin's execution context.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Enforce Groovy CPS (Sandbox): This is the most crucial mitigation. Ensure the "Use Groovy Sandbox" option is always enabled for Declarative Pipelines. This is a direct configuration related to how the plugin executes the code.
    • Principle of Least Privilege: Limit user permissions to modify Jenkinsfiles.
    • Mandatory Code Review: Require code review for all Jenkinsfile changes.
    • SCM Security: Secure the source code management system.
    • Webhooks with Authentication: Secure webhooks that trigger pipeline builds.

Threat: Shared Library Code Injection (Directly Affecting Pipeline Execution)

  • Description: An attacker gains write access to a shared library repository and injects malicious Groovy code. When a pipeline (defined using pipeline-model-definition-plugin) loads and executes this shared library, the attacker's code runs. The plugin's mechanism for loading and integrating shared libraries is the direct enabler of this threat.
  • Impact: Compromise of multiple pipelines and the systems they manage, similar to Jenkinsfile injection, but potentially broader.
  • Affected Component:
    • org.jenkinsci.plugins.workflow.libs.LibraryConfiguration: Directly handles the configuration of shared libraries used by the pipeline.
    • org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever: Retrieves the shared library code, making it part of the pipeline's execution context.
    • Groovy CPS (within the shared library context): Again, the presence/absence of the sandbox directly impacts the plugin's execution.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Strict Access Control: Limit write access to shared library repositories.
    • Mandatory Code Review: Require rigorous code review for shared library changes.
    • Version Control and Rollback: Use version control and have a rollback process.
    • Digital Signatures (Ideal): Implement digital signatures for integrity verification.
    • Separate Repositories: Use separate repositories to limit the blast radius.
    • Regular Audits: Conduct regular security audits of shared library code.

Threat: Bypassing Groovy CPS (Sandbox) Restrictions (Within the Plugin's Context)

  • Description: An attacker exploits a vulnerability specifically within the pipeline-model-definition-plugin's implementation or interaction with the Groovy CPS sandbox to bypass its restrictions. This allows them to execute arbitrary code despite the sandbox being enabled. This is distinct from a general Groovy or Jenkins vulnerability; it's a flaw in how the plugin uses CPS.
  • Impact: Complete compromise of the Jenkins master and/or agent, equivalent to direct code injection.
  • Affected Component:
    • org.jenkinsci.plugins.workflow.cps.CpsGroovyShell: The core of the Groovy CPS sandbox, as used by the plugin. The vulnerability would be in how the plugin configures or interacts with this shell.
    • org.jenkinsci.plugins.pipeline.modeldefinition.parser.Converter: If the parser introduces vulnerabilities that can be exploited to bypass CPS.
    • Any custom CPS configurations or integrations specific to the plugin.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Keep Jenkins and pipeline-model-definition-plugin Updated: This is the primary defense, as patches often address CPS bypasses specific to the plugin.
    • Regular Security Audits: Conduct audits and penetration testing, focusing on the plugin's interaction with CPS.
    • Minimal Plugin Installation: Reduce the attack surface.
    • Avoid Unsafe Groovy Constructs: Even within the sandbox, avoid known risky constructs.
    • Monitor for Suspicious Activity: Watch for unusual activity in Jenkins logs.