Last modified: 2012-12-11 14:15:35 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T44929, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 42929 - Jenkins run 'rake validate' on any ops/puppet change
Jenkins run 'rake validate' on any ops/puppet change
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
Continuous integration (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Antoine "hashar" Musso (WMF)
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-10 22:20 UTC by Antoine "hashar" Musso (WMF)
Modified: 2012-12-11 14:15 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Antoine "hashar" Musso (WMF) 2012-12-10 22:20:49 UTC 
Whenever someone send a patch to operations/puppet.git, Jenkins runs 'rake validate'. An attacker could inject ruby code in rakefile and execute arbitrary code as user Jenkins on gallium server.

We had the same issue in MediaWiki core with PHPUnit tests, that has been fixed by requiring someone trusted to review the code before running the unit tests.


A possible solution would be to skip the lint check whenever the rakefile has been changed: `git diff  --name-only HEAD^..HEAD` should not contains "rakefile"
Comment 1 Antoine "hashar" Musso (WMF) 2012-12-10 22:21:40 UTC 
I will take of this issue. I need to adapt the Jenkins build step to detect whether the rakefile has been changed.
Comment 2 Antoine "hashar" Musso (WMF) 2012-12-11 12:43:57 UTC 
https://gerrit.wikimedia.org/r/#/c/38065/

Still being worked on
Comment 3 Antoine "hashar" Musso (WMF) 2012-12-11 13:29:21 UTC 
Validated in production with:

https://gerrit.wikimedia.org/r/#/c/38066/ (introduce rakefile: skipped)
https://gerrit.wikimedia.org/r/#/c/38068/ (based on previous: got skipped too)
Comment 4 Antoine "hashar" Musso (WMF) 2012-12-11 13:30:05 UTC 
Shell script introduced to operations/puppet is https://gerrit.wikimedia.org/r/#/c/38065/2/operations-puppet.yaml,unified
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links