Jenkins : Plugins affected by the SECURITY-595 fix

Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get, and that has a String, int, long, or no argument can be invoked this way on objects that are reachable through these means. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way.

The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows methods and fields to be excluded from routing. The implementation of that SPI in Jenkins now restricts which getter methods, do* action methods, and fields can be invoked reflectively by Stapler. Further details are available in the documentation:

• Advice related to SECURITY-595 in the LTS upgrade guide

• SECURITY-595 in the 2018-12-05 security advisory

• Making Object Accessible via Stapler (for plugin developers)

• Web Methods (for plugin developers)

• Restricting HTTP Access to AccessControlled Objects (for plugin developers)

This change is expected to impact existing functionality in some plugins. The most likely effect is that some URLs now return 404 Not Found. In rare cases, the responses returned might not be 404 Not Found, but still different than expected.

Affected plugins

The table below provides a list of plugin which were affected by the SECURITY-595 fix in Jenkins 2.138.4 and 2.154. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. If possible, include the necessary whitelist entry (or entries) to make the feature work.

More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.