Conversation
fpichler
left a comment
There was a problem hiding this comment.
The manifest content looks consistent with the release pipeline contract, but I see one security/design issue that affects this PR together with server-tools PR 83.
Jenkinsfile.release passes arbitrary manifest.image and manifest.modules values from this repository into the trusted shared-library releasePipeline. That shared library then reads
Jenkins job SCM metadata/credentials from those module job names and triggers the image job. Anyone who can change this Jenkinsfile can therefore potentially point the release pipeline at
unrelated Jenkins jobs, depending on Jenkins permissions and branch trust settings.
Please add product-scoped allowlisting/validation in the shared library before using these values, or move the release manifests back into trusted shared-library code. The webapp Jenkinsfile
should ideally only select a fixed product, not define arbitrary Jenkins job names.
https://synjira.atlassian.net/browse/INFRA-471