Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
Description
SpecificUsersAuthorizationStrategy does an authentication check during newInstance, used by form binding. But this is trivially bypassed. I created two users (with Mock Security Realm): admin with ADMINISTER, and devel with Item.* permissions (also granting Computer.BUILD to everyone). As devel I created a job using this strategy and running as myself. Then I got its config.xml, replaced the text devel with admin, and used
curl -i -u devel:devel -d @config.xml -H '.crumb: ...' 'http://localhost:8080/jenkins/job/run%20as%20devel/config.xml'
When next run, it was run as admin, bypassing the intent of the security restriction.
Not sure what to recommend as the fix. Storing the strategy as a JobProperty makes it inherently rather vulnerable to this kind of attack. The only general way to intercept uploadByXml and friends from a savable component is to let the user upload and save whatever XML they want, but use readResolve to check the authentication in effect at the time of the upload (will be SYSTEM if this is just being reloaded from disk), and to retroactively reject configurations being uploaded by an unauthorized user. You can study what the Script Security plugin does; look at SecureGroovyScript and its calls to ScriptApproval.configuring and .using. For a job property in particular you may be able to use a simpler solution by overriding setOwner.
(In this case you do want to let regular users update other parts of config.xml using REST or CLI, so long as !isAuthenticateionRequired(...) [sic] I suppose.)
Attachments
Issue Links
- is related to
-
-
- Closed
-
Activity
Code changed in jenkins
User: ikedam
Path:
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html
http://jenkins-ci.org/commit/authorize-project-plugin/6451b35f6d65b5c32f3ab302f7dfe5ed3a45b1e9
Log:
JENKINS-22469 Added notes to help of noNeedReauthentication that it does not work for REST/CLI.
Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
http://jenkins-ci.org/commit/authorize-project-plugin/ac6f88b0417c42c3227c74757fb02e5991f008a8
Log:
JENKINS-22469 Do not perform authentication when readResolve is called on startup.
Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html
src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/jobs/test/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/admin/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test1/config.xml
src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test2/config.xml
http://jenkins-ci.org/commit/authorize-project-plugin/2374674a2a341c9be87eecb2a5e4d3b724304d6b
Log:
Merge pull request #5 from ikedam/feature/JENKINS-22469_RestCliBypassesAuthentication
JENKINS-22469 REST/CLI bypasses authentication
Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/ef1e5a4fcb10...2374674a2a34
Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties
src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties
http://jenkins-ci.org/commit/authorize-project-plugin/bee6e628ef5fbd66ca59b2bd2abc2afad5c183c9
Log:
[FIXED JENKINS-22469] When configuring a project with SpecificUsersAuthorizationStrategy via REST/CLI, the user can specify only oneself or must be an administrator.