-
Bug
-
Resolution: Fixed
-
Blocker
SpecificUsersAuthorizationStrategy does an authentication check during newInstance, used by form binding. But this is trivially bypassed. I created two users (with Mock Security Realm): admin with ADMINISTER, and devel with Item.* permissions (also granting Computer.BUILD to everyone). As devel I created a job using this strategy and running as myself. Then I got its config.xml, replaced the text devel with admin, and used
curl -i -u devel:devel -d @config.xml -H '.crumb: ...' 'http://localhost:8080/jenkins/job/run%20as%20devel/config.xml'
When next run, it was run as admin, bypassing the intent of the security restriction.
Not sure what to recommend as the fix. Storing the strategy as a JobProperty makes it inherently rather vulnerable to this kind of attack. The only general way to intercept uploadByXml and friends from a savable component is to let the user upload and save whatever XML they want, but use readResolve to check the authentication in effect at the time of the upload (will be SYSTEM if this is just being reloaded from disk), and to retroactively reject configurations being uploaded by an unauthorized user. You can study what the Script Security plugin does; look at SecureGroovyScript and its calls to ScriptApproval.configuring and .using. For a job property in particular you may be able to use a simpler solution by overriding setOwner.
(In this case you do want to let regular users update other parts of config.xml using REST or CLI, so long as !isAuthenticateionRequired(...) [sic] I suppose.)
- is related to
-
-
- Closed
-
[JENKINS-22469] SpecificUsersAuthorizationStrategy easily bypassed by REST/CLI
ikedam
added a comment - - uploading XML is allowed with Item.CONFIGURE permission. This means anyone who can configure the project can bypass the authentication.
- It is performed via AbstractItem#doComfigDotXml, AbstractItem#updateByXml.
ikedam
added a comment -
uploading XML is allowed with Item.CONFIGURE permission. This means anyone who can configure the project can bypass the authentication.
It is performed via AbstractItem#doComfigDotXml , AbstractItem#updateByXml .
ikedam
added a comment - example details steps to reproduce the problem using REST:
- Install authorize-project plugin
- Go to "Manage Jenkins" > "Configure Global Security"
- Check "Enable security"
- Check "Jenkins's own user database" for "Security Realm"
- Check "Matrix-based security" for "Authorization"
- Add user "admin" to "Matrix-based security" and check all permissions.
- Add user "devel" to "Matrix-based security" and check all permissions execpt "Administer".
- Admin is not really registered to Jenkins's user database, but that doesn't matter in this case.
- Add "Configure Build Authorizations in Project Configuration" for "Access Control for Builds"
- Create users by signing up.
- Create "admin"
- Create "devel"
- Sign in as "devel"
- Test that "devel" cannot configure authorize-project for "admin"
- Create a new free-style project
- Check "Configure Build Authorization"
- Check "Run as Specific User"
- Enter "admin" for "User ID"
- Leave empty for "Password"
- Save the configuration. It will cause an error for failure of authentication.
- Create a project that run as "devel"
- Create a new free-style project
- Check "Configure Build Authorization"
- Check "Run as Specific User"
- Enter "devel" for "User ID"
- Save the configuration.
- retreive current config.xml
curl -u devel:devel -o config.xml http://[path to jenkins]/[projectname]/config.xml- wget does not work, as Jenkins returns not 401 but 403 (wget requires 401 before sending a username and a password).
- modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml
- Overwrite the configuration
curl -u devel:devel -d @config.xml http://[path to jenkins]/[projectname]/config.xml - Open the configuration page. The project is configured to run as "admin".
ikedam
added a comment - example details steps to reproduce the problem using REST:
Install authorize-project plugin
Go to "Manage Jenkins" > "Configure Global Security"
Check "Enable security"
Check "Jenkins's own user database" for "Security Realm"
Check "Matrix-based security" for "Authorization"
Add user "admin" to "Matrix-based security" and check all permissions.
Add user "devel" to "Matrix-based security" and check all permissions execpt "Administer".
Admin is not really registered to Jenkins's user database, but that doesn't matter in this case.
Add "Configure Build Authorizations in Project Configuration" for "Access Control for Builds"
Create users by signing up.
Create "admin"
Create "devel"
Sign in as "devel"
Test that "devel" cannot configure authorize-project for "admin"
Create a new free-style project
Check "Configure Build Authorization"
Check "Run as Specific User"
Enter "admin" for "User ID"
Leave empty for "Password"
Save the configuration. It will cause an error for failure of authentication.
Create a project that run as "devel"
Create a new free-style project
Check "Configure Build Authorization"
Check "Run as Specific User"
Enter "devel" for "User ID"
Save the configuration.
retreive current config.xml
curl -u devel:devel -o config.xml http: //[path to jenkins]/[projectname]/config.xml
wget does not work, as Jenkins returns not 401 but 403 (wget requires 401 before sending a username and a password).
modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml
Overwrite the configuration
curl -u devel:devel -d @config.xml http: //[path to jenkins]/[projectname]/config.xml
Open the configuration page. The project is configured to run as "admin".
ikedam
added a comment - example steps using CLI:
- Parepare users and projects as above.
- Grant Overall.Read and Job.Read to Anonymous, for
JENKINS-12543. - retreive jenkins-cli.jar
curl -o jenkins-cli.jar http://[path to jenkins]/jnlpJars/jenkins-cli.jar - retreive current config.xml
java -jar jenkins-cli.jar -s http://[path to jenkins]/ get-job [projectname] --username devel --password devel > config.xml - modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml
- Overwrite the configuration
java -jar jenkins-cli.jar -s http://[path to jenkins]/ update-job [projectname] --username devel --password devel < config.xml - Open the configuration page. The project is configured to run as "admin".
ikedam
added a comment - example steps using CLI:
Parepare users and projects as above.
Grant Overall.Read and Job.Read to Anonymous, for JENKINS-12543 .
retreive jenkins-cli.jar
curl -o jenkins-cli.jar http: //[path to jenkins]/jnlpJars/jenkins-cli.jar
retreive current config.xml
java -jar jenkins-cli.jar -s http: //[path to jenkins]/ get-job [projectname] --username devel --password devel > config.xml
modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml
Overwrite the configuration
java -jar jenkins-cli.jar -s http: //[path to jenkins]/ update-job [projectname] --username devel --password devel < config.xml
Open the configuration page. The project is configured to run as "admin".
ikedam
added a comment - Authentications when called SpecificUsersAuthorizationStrategy#readResolve (tested with 1.532)
| When | Authentication |
|---|---|
| Jenkins Boot | SYSTEM |
| REST | devel |
| CLI | devel |
ikedam
added a comment - Authentications when called SpecificUsersAuthorizationStrategy#readResolve (tested with 1.532)
When
Authentication
Jenkins Boot
SYSTEM
REST
devel
CLI
devel
Code changed in jenkins
User: ikedam
Path:
src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/jobs/test/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/admin/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test1/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test2/config.xml
http://jenkins-ci.org/commit/authorize-project-plugin/6ae6c7aa129cff9da43c3401d3fca74f44b5acd6
Log:
JENKINS-22469 Added tests to reproduce JENKINS-22469: authentications can be bypassed via REST/CLI.
Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties
http://jenkins-ci.org/commit/authorize-project-plugin/bee6e628ef5fbd66ca59b2bd2abc2afad5c183c9
Log:
[FIXED JENKINS-22469] When configuring a project with SpecificUsersAuthorizationStrategy via REST/CLI, the user can specify only oneself or must be an administrator.
Code changed in jenkins
User: ikedam
Path:
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html
http://jenkins-ci.org/commit/authorize-project-plugin/6451b35f6d65b5c32f3ab302f7dfe5ed3a45b1e9
Log:
JENKINS-22469 Added notes to help of noNeedReauthentication that it does not work for REST/CLI.
Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
http://jenkins-ci.org/commit/authorize-project-plugin/ac6f88b0417c42c3227c74757fb02e5991f008a8
Log:
JENKINS-22469 Do not perform authentication when readResolve is called on startup.
Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html
src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/jobs/test/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/admin/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test1/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test2/config.xml
http://jenkins-ci.org/commit/authorize-project-plugin/2374674a2a341c9be87eecb2a5e4d3b724304d6b
Log:
Merge pull request #5 from ikedam/feature/JENKINS-22469_RestCliBypassesAuthentication
JENKINS-22469 REST/CLI bypasses authentication
Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/ef1e5a4fcb10...2374674a2a34
