Last modified: 2012-12-11 14:15:35 UTC
Whenever someone send a patch to operations/puppet.git, Jenkins runs 'rake validate'. An attacker could inject ruby code in rakefile and execute arbitrary code as user Jenkins on gallium server. We had the same issue in MediaWiki core with PHPUnit tests, that has been fixed by requiring someone trusted to review the code before running the unit tests. A possible solution would be to skip the lint check whenever the rakefile has been changed: `git diff --name-only HEAD^..HEAD` should not contains "rakefile"
I will take of this issue. I need to adapt the Jenkins build step to detect whether the rakefile has been changed.
https://gerrit.wikimedia.org/r/#/c/38065/ Still being worked on
Validated in production with: https://gerrit.wikimedia.org/r/#/c/38066/ (introduce rakefile: skipped) https://gerrit.wikimedia.org/r/#/c/38068/ (based on previous: got skipped too)
Shell script introduced to operations/puppet is https://gerrit.wikimedia.org/r/#/c/38065/2/operations-puppet.yaml,unified