From 760ea2c501926f6c1803acb6fb2f56fdea8bd57d Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sat, 7 Nov 2015 02:25:36 +0000
Subject: [PATCH] Mitigate SECURITY-218 by disabling the CLI

Jenkins masters will need a restart after applying this change, or
it will have to be separately pasted into the Script Console.

Change-Id: I427d6e1a72fbe2144f3d9d9306c1cc918730e0cd
---
 files/cli-shutdown.groovy | 13 +++++++++++++
 manifests/master.pp       | 15 +++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 files/cli-shutdown.groovy

diff --git a/files/cli-shutdown.groovy b/files/cli-shutdown.groovy
new file mode 100644
index 0000000..23bb689
--- /dev/null
+++ b/files/cli-shutdown.groovy
@@ -0,0 +1,13 @@
+# taken directly from https://github.com/jenkinsci-cert/SECURITY-218
+# https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
+
+import jenkins.*;
+import jenkins.model.*;
+
+def p = AgentProtocol.all()
+p.each { x ->
+  if (x.name.contains("CLI")) p.remove(x)
+}
+
+def j = Jenkins.instance;
+j.actions.each { x -> if (x.getClass().name.contains("CLIAction")) j.actions.remove(x) }
diff --git a/manifests/master.pp b/manifests/master.pp
index 9d16c8d..95dbe7a 100644
--- a/manifests/master.pp
+++ b/manifests/master.pp
@@ -219,6 +219,21 @@ class jenkins::master(
     require => File['/var/lib/jenkins/plugins/simple-theme-plugin'],
   }
 
+  file { '/var/lib/jenkins/init.groovy.d':
+    ensure  => directory,
+    owner   => 'jenkins',
+    group   => 'jenkins',
+    require => File['/var/lib/jenkins'],
+  }
+
+  file { '/var/lib/jenkins/init.groovy.d/cli-shutdown.groovy':
+    ensure  => present,
+    owner   => 'jenkins',
+    group   => 'jenkins',
+    source  => 'puppet:///modules/jenkins/cli-shutdown.groovy',
+    require => File['/var/lib/jenkins/init.groovy.d'],
+  }
+
   file { '/usr/local/jenkins':
     ensure => directory,
     owner  => 'root',