[JENKINS-46795] Abort builds with untrusted Jenkinsfile, but only given passive cause

Author: jglick

src/main/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep.java

@@ -177,7 +177,7 @@ public static class Execution extends AbstractSynchronousNonBlockingStepExecutio
                 }
                 build.addAction(new SCMRevisionAction(scmSource, tip));
             }
-            SCMRevision trusted = scmSource.getTrustedRevision(tip, listener);
+            SCMRevision trusted = SCMBinder.getTrustedRevision(scmSource, tip, listener, build);
             boolean trustCheck = !tip.equals(trusted);
             String untrustedFile = null;
             String content;

src/main/java/org/jenkinsci/plugins/workflow/multibranch/SCMBinder.java

@@ -29,15 +29,22 @@
 import hudson.Extension;
 import hudson.Functions;
 import hudson.model.Action;
+import hudson.model.Cause;
 import hudson.model.Descriptor;
 import hudson.model.DescriptorVisibilityFilter;
 import hudson.model.ItemGroup;
 import hudson.model.Queue;
+import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.scm.SCM;
+import hudson.triggers.SCMTrigger;
+import hudson.triggers.TimerTrigger;
 import java.io.IOException;
 import java.util.List;
+import java.util.Set;
 import jenkins.branch.Branch;
+import jenkins.branch.BranchEventCause;
+import jenkins.branch.BranchIndexingCause;
 import jenkins.scm.api.SCMFileSystem;
 import jenkins.scm.api.SCMHead;
 import jenkins.scm.api.SCMRevision;
@@ -46,6 +53,7 @@
 import jenkins.util.SystemProperties;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.cps.CpsScmFlowDefinition;
+import org.jenkinsci.plugins.workflow.cps.replay.ReplayCause;
 import org.jenkinsci.plugins.workflow.flow.FlowDefinition;
 import org.jenkinsci.plugins.workflow.flow.FlowDefinitionDescriptor;
 import org.jenkinsci.plugins.workflow.flow.FlowExecution;
@@ -102,7 +110,7 @@ public SCMBinder(String scriptPath) {
         SCM scm;
         if (tip != null) {
             build.addAction(new SCMRevisionAction(scmSource, tip));
-            SCMRevision rev = scmSource.getTrustedRevision(tip, listener);
+            SCMRevision rev = getTrustedRevision(scmSource, tip, listener, build);
             try (SCMFileSystem fs = USE_HEAVYWEIGHT_CHECKOUT ? null : SCMFileSystem.of(scmSource, head, rev)) {
                 if (fs != null) { // JENKINS-33273
                     String script = null;
@@ -143,6 +151,24 @@ public SCMBinder(String scriptPath) {
         return new CpsScmFlowDefinition(scm, scriptPath).create(handle, listener, actions);
     }
 
+    private static Set<Class<? extends Cause>> passiveCauses = Set.of(
+        BranchIndexingCause.class,
+        BranchEventCause.class,
+        SCMTrigger.SCMTriggerCause.class,
+        TimerTrigger.TimerTriggerCause.class);
+    /**
+     * Like {@link SCMSource#getTrustedRevision} but only for builds with known passive triggers such as {@link BranchIndexingCause}.
+     * Other causes such as {@link Cause.UserIdCause} or {@link ReplayCause} or {@code CheckRunGHEventSubscriber.GitHubChecksRerunActionCause}
+     * are assumed trusted and so the tip revision is returned as is without consulting the SCM.
+     */
+    static SCMRevision getTrustedRevision(SCMSource source, SCMRevision revision, TaskListener listener, Run<?, ?> build) throws IOException, InterruptedException {
+        if (build.getCauses().stream().anyMatch(c -> passiveCauses.stream().anyMatch(t -> t.isInstance(c)))) {
+            return source.getTrustedRevision(revision, listener);
+        } else {
+            return revision;
+        }
+    }
+
     @Extension public static class DescriptorImpl extends FlowDefinitionDescriptor {
 
         @NonNull

src/test/java/org/jenkinsci/plugins/workflow/multibranch/SCMBinderTest.java

@@ -27,6 +27,8 @@
 import com.cloudbees.hudson.plugins.folder.computed.DefaultOrphanedItemStrategy;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Util;
+import hudson.model.Cause;
+import hudson.model.CauseAction;
 import hudson.model.Item;
 import hudson.model.Result;
 import hudson.model.TaskListener;
@@ -235,6 +237,7 @@ public static void assertRevisionAction(WorkflowRun build) {
         assertEquals(1, mp.getItems().size());
     }
 
+    @Issue("JENKINS-46795")
     @Test public void untrustedRevisions() throws Exception {
         sampleGitRepo.init();
         String masterJenkinsfile = "node {checkout scm; echo readFile('file')}";
@@ -255,7 +258,6 @@ public static void assertRevisionAction(WorkflowRun build) {
         String branch = "some-other-branch-from-Norway";
         sampleGitRepo.git("checkout", "-b", branch);
         sampleGitRepo.write("Jenkinsfile", "error 'ALL YOUR BUILD STEPS ARE BELONG TO US'");
-        sampleGitRepo.write("file", "subsequent content");
         sampleGitRepo.git("commit", "--all", "--message=big evil laugh");
         p = WorkflowMultiBranchProjectTest.scheduleAndFindBranchProject(mp, branch);
         r.waitUntilNoActivity();
@@ -268,17 +270,42 @@ public static void assertRevisionAction(WorkflowRun build) {
         r.assertLogContains("not trusting", b);
         SCMBinder.IGNORE_UNTRUSTED_EDITS = true;
         try {
-            b = r.buildAndAssertSuccess(p);
+            sampleGitRepo.write("file", "subsequent content");
+            sampleGitRepo.git("commit", "--all", "--message=edits");
+            p = WorkflowMultiBranchProjectTest.scheduleAndFindBranchProject(mp, branch);
+            r.waitUntilNoActivity();
+            b = p.getLastBuild();
+            assertNotNull(b);
+            assertEquals(2, b.getNumber());
             r.assertLogContains("subsequent content", b);
             r.assertLogContains("not trusting", b);
         } finally {
             SCMBinder.IGNORE_UNTRUSTED_EDITS = false;
         }
         sampleGitRepo.write("Jenkinsfile", masterJenkinsfile);
         sampleGitRepo.git("commit", "--all", "--message=meekly submitting");
-        b = r.buildAndAssertSuccess(p);
+        p = WorkflowMultiBranchProjectTest.scheduleAndFindBranchProject(mp, branch);
+        r.waitUntilNoActivity();
+        b = p.getLastBuild();
+        assertNotNull(b);
+        assertEquals(3, b.getNumber());
         r.assertLogContains("subsequent content", b);
         r.assertLogContains("not trusting", b);
+        sampleGitRepo.write("Jenkinsfile", "node {checkout scm; echo readTrusted('file').toUpperCase()}");
+        sampleGitRepo.git("commit", "--all", "--message=changes to be approved");
+        p = WorkflowMultiBranchProjectTest.scheduleAndFindBranchProject(mp, branch);
+        r.waitUntilNoActivity();
+        b = p.getLastBuild();
+        assertNotNull(b);
+        assertEquals(4, b.getNumber());
+        r.assertBuildStatus(Result.FAILURE, b);
+        r.assertLogContains(Messages.ReadTrustedStep__has_been_modified_in_an_untrusted_revis("Jenkinsfile"), b);
+        r.assertLogContains("not trusting", b);
+        b = p.scheduleBuild2(0, new CauseAction(new Cause.UserIdCause())).get();
+        assertEquals(5, b.getNumber());
+        r.assertBuildStatusSuccess(b);
+        r.assertLogContains("SUBSEQUENT CONTENT", b);
+        r.assertLogNotContains("not trusting", b);
     }
     public static class WarySource extends GitSCMSource {
         public WarySource(String id, String remote, String credentialsId, String includes, String excludes, boolean ignoreOnPushNotifications) {