privatestatic/* not final */booleanSUPPRESS_WHITELIST=SystemProperties.getBoolean("jenkins.security.ClassFilterImpl.SUPPRESS_WHITELIST");
privatestatic/* not final */booleanSUPPRESS_ALL=SystemProperties.getBoolean("jenkins.security.ClassFilterImpl.SUPPRESS_ALL");
/**
* Register this implementation as the default in the system.
*/
...
...
@@ -76,6 +80,11 @@ public class ClassFilterImpl extends ClassFilter {
return;
}
ClassFilter.setDefault(newClassFilterImpl());
if(SUPPRESS_ALL){
LOGGER.warning("All class filtering suppressed. Your Jenkins installation is at risk from known attacks. See https://jenkins.io/redirect/class-filter/");
}elseif(SUPPRESS_WHITELIST){
LOGGER.warning("JEP-200 class filtering by whitelist suppressed. Your Jenkins installation may be at risk. See https://jenkins.io/redirect/class-filter/");
}
}
/**
...
...
@@ -155,6 +164,10 @@ public class ClassFilterImpl extends ClassFilter {
LOGGER.log(Level.FINE,"tolerating {0} by whitelist",name);
returnfalse;
}
if(SUPPRESS_WHITELIST||SUPPRESS_ALL){
LOGGER.log(Level.WARNING,"{0} in {1} might be dangerous, so would normally be rejected; see https://jenkins.io/redirect/class-filter/",newObject[]{name,location!=null?location:"JRE"});
returnfalse;
}
LOGGER.log(Level.WARNING,"{0} in {1} might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/",newObject[]{name,location!=null?location:"JRE"});
returntrue;
});
...
...
@@ -249,6 +262,10 @@ public class ClassFilterImpl extends ClassFilter {
}
// could apply a cache if the pattern search turns out to be slow
if(ClassFilter.STANDARD.isBlacklisted(name)){
if(SUPPRESS_ALL){
LOGGER.log(Level.WARNING,"would normally reject {0} according to standard blacklist; see https://jenkins.io/redirect/class-filter/",name);
returnfalse;
}
LOGGER.log(Level.WARNING,"rejecting {0} according to standard blacklist; see https://jenkins.io/redirect/class-filter/",name);