Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22469

SpecificUsersAuthorizationStrategy easily bypassed by REST/CLI

    XMLWordPrintable

Details

    Description

      SpecificUsersAuthorizationStrategy does an authentication check during newInstance, used by form binding. But this is trivially bypassed. I created two users (with Mock Security Realm): admin with ADMINISTER, and devel with Item.* permissions (also granting Computer.BUILD to everyone). As devel I created a job using this strategy and running as myself. Then I got its config.xml, replaced the text devel with admin, and used

      curl -i -u devel:devel -d @config.xml -H '.crumb: ...' 'http://localhost:8080/jenkins/job/run%20as%20devel/config.xml'
      

      When next run, it was run as admin, bypassing the intent of the security restriction.

      Not sure what to recommend as the fix. Storing the strategy as a JobProperty makes it inherently rather vulnerable to this kind of attack. The only general way to intercept uploadByXml and friends from a savable component is to let the user upload and save whatever XML they want, but use readResolve to check the authentication in effect at the time of the upload (will be SYSTEM if this is just being reloaded from disk), and to retroactively reject configurations being uploaded by an unauthorized user. You can study what the Script Security plugin does; look at SecureGroovyScript and its calls to ScriptApproval.configuring and .using. For a job property in particular you may be able to use a simpler solution by overriding setOwner.

      (In this case you do want to let regular users update other parts of config.xml using REST or CLI, so long as !isAuthenticateionRequired(...) [sic] I suppose.)

      Attachments

        Issue Links

          Activity

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties
            http://jenkins-ci.org/commit/authorize-project-plugin/bee6e628ef5fbd66ca59b2bd2abc2afad5c183c9
            Log:
            [FIXED JENKINS-22469] When configuring a project with SpecificUsersAuthorizationStrategy via REST/CLI, the user can specify only oneself or must be an administrator.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties http://jenkins-ci.org/commit/authorize-project-plugin/bee6e628ef5fbd66ca59b2bd2abc2afad5c183c9 Log: [FIXED JENKINS-22469] When configuring a project with SpecificUsersAuthorizationStrategy via REST/CLI, the user can specify only oneself or must be an administrator.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html
            http://jenkins-ci.org/commit/authorize-project-plugin/6451b35f6d65b5c32f3ab302f7dfe5ed3a45b1e9
            Log:
            JENKINS-22469 Added notes to help of noNeedReauthentication that it does not work for REST/CLI.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html http://jenkins-ci.org/commit/authorize-project-plugin/6451b35f6d65b5c32f3ab302f7dfe5ed3a45b1e9 Log: JENKINS-22469 Added notes to help of noNeedReauthentication that it does not work for REST/CLI.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            http://jenkins-ci.org/commit/authorize-project-plugin/ac6f88b0417c42c3227c74757fb02e5991f008a8
            Log:
            JENKINS-22469 Do not perform authentication when readResolve is called on startup.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java http://jenkins-ci.org/commit/authorize-project-plugin/ac6f88b0417c42c3227c74757fb02e5991f008a8 Log: JENKINS-22469 Do not perform authentication when readResolve is called on startup.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html
            src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
            src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/config.xml
            src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/jobs/test/config.xml
            src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/admin/config.xml
            src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test1/config.xml
            src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test2/config.xml
            http://jenkins-ci.org/commit/authorize-project-plugin/2374674a2a341c9be87eecb2a5e4d3b724304d6b
            Log:
            Merge pull request #5 from ikedam/feature/JENKINS-22469_RestCliBypassesAuthentication

            JENKINS-22469 REST/CLI bypasses authentication

            Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/ef1e5a4fcb10...2374674a2a34

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/config.xml src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/jobs/test/config.xml src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/admin/config.xml src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test1/config.xml src/test/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest/testLoadOnStart/users/test2/config.xml http://jenkins-ci.org/commit/authorize-project-plugin/2374674a2a341c9be87eecb2a5e4d3b724304d6b Log: Merge pull request #5 from ikedam/feature/ JENKINS-22469 _RestCliBypassesAuthentication JENKINS-22469 REST/CLI bypasses authentication Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/ef1e5a4fcb10...2374674a2a34
            ikedam ikedam added a comment -

            Released in 1.0.3.

            ikedam ikedam added a comment - Released in 1.0.3.

            People

              ikedam ikedam
              jglick Jesse Glick
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: