Kevin Guerroudj
Kevin Guerroudj
Hi @dillense, I'm still able to reproduce the vulnerability, from what I've seen, it's due to [Zip.java#L165](https://github.com/jenkinsci/clif-performance-testing-plugin/blob/7214dfdb32ecd7c23ffb675b4d1e9d419f4fea66/src/main/java/org/ow2/clif/jenkins/jobs/Zip.java#L165). I'll let you correct it and ping me when it's fixed 🙂
I gave you more information in [SECURITY-2413](https://issues.jenkins.io/browse/SECURITY-2413).
No blockers from a security perspective. However, I've noticed that the search filter doesn't seem to work properly. It takes quite long or never finishes.
I agree with the previous comment, the current behavior is a bug. `Global` scoped credentials in the `System` store should be accessible to all users with the Credentials/UseItem permission. It...
> Is the keypair adequately protected within the Jenkins config by Hudson encryption? Your secret key will be stored encrypted, see https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials > Is it okay to have accessKey be...
Hey @Artmorse, I tried reviewing this PR and followed Yaroslav's steps. I'm not encountering any errors, it's working as expected. However, I noticed that we missed to report an occurrence...
I've tested the PR locally, and the XSS is no longer present. Everything else looks fine from a security perspective
> @jenkinsci/core-security-review possible to get a review please? Yeah, we're aware of this PR and are planning to review it soonish
LGTM security wise
Otherwise, I agree with Dima, it looks safe