[JENKINS-23165] Config.gerritAuthKeyFilePassword stored in plaintext

Type: Bug
Resolution: Fixed
Priority: Critical
Component/s: gerrit-trigger-plugin
Labels:
- security

Similar Issues:
Powered by SuggestiMate

Show

Secrets should never be stored in plaintext, and once stored, should never be sent back to the browser in plaintext. Declare the field and the bean property to be of type hudson.util.Secret, so it is protected by the master key. Form data binding with <f:password> and @DataBoundConstructor automatically deals with this; since you seem to be managing this form manually, just use fromString to convert an initially entered password, and for round-trips use getEncryptedValue and again fromString. XStream serialization will properly automatically. PR upon request.

rin_ne added a comment - 2014-05-26 13:55 - edited

~~Secret.fromString() raises NPE when given parameter is null or empty string.~~

Sorry, my bad. Test has no Jenkins instance.

rin_ne added a comment - 2014-05-26 13:55 - edited Secret.fromString() raises NPE when given parameter is null or empty string. Sorry, my bad. Test has no Jenkins instance.

rin_ne added a comment - 2014-05-27 10:05

PR: https://github.com/jenkinsci/gerrit-trigger-plugin/pull/157

rin_ne added a comment - 2014-05-27 10:05 PR: https://github.com/jenkinsci/gerrit-trigger-plugin/pull/157

SCM/JIRA link daemon added a comment - 2014-05-27 12:19

Code changed in jenkins
User: rinrinne
Path:
src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java
src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/ConfigTest.java
http://jenkins-ci.org/commit/gerrit-trigger-plugin/7d6bcae8a93087d97cbfaece7099f8afdde7bf49
Log:
Store encrypted password

Now password for SSH authentication file is stored as plain text.

This patch fixes it. Already stored password would be replaced to
encrypted ones if config is saved once.

Fix for ~~JENKINS-23165~~

SCM/JIRA link daemon added a comment - 2014-05-27 12:19 Code changed in jenkins User: rinrinne Path: src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/ConfigTest.java http://jenkins-ci.org/commit/gerrit-trigger-plugin/7d6bcae8a93087d97cbfaece7099f8afdde7bf49 Log: Store encrypted password Now password for SSH authentication file is stored as plain text. This patch fixes it. Already stored password would be replaced to encrypted ones if config is saved once. Fix for JENKINS-23165

Jesse Glick added a comment - 2014-05-27 15:52

As mentioned in the PR,

should never be sent back to the browser in plaintext

does not seem to be satisfied.

Jesse Glick added a comment - 2014-05-27 15:52 As mentioned in the PR, should never be sent back to the browser in plaintext does not seem to be satisfied.

rin_ne added a comment - 2014-05-28 02:54

PR: https://github.com/jenkinsci/gerrit-trigger-plugin/pull/158

rin_ne added a comment - 2014-05-28 02:54 PR: https://github.com/jenkinsci/gerrit-trigger-plugin/pull/158

SCM/JIRA link daemon added a comment - 2014-06-02 14:15

Code changed in jenkins
User: rinrinne
Path:
src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java
src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/IGerritHudsonTriggerConfig.java
src/main/resources/com/sonyericsson/hudson/plugins/gerrit/trigger/GerritServer/index.jelly
src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/ConfigTest.java
src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/mock/MockGerritHudsonTriggerConfig.java
http://jenkins-ci.org/commit/gerrit-trigger-plugin/d402536e48c300aa435c3f3e519e7754fc769ecf
Log:
Prevent to send plaintext password to browser

Fix for ~~JENKINS-23165~~ and pull #157

SCM/JIRA link daemon added a comment - 2014-06-02 14:15 Code changed in jenkins User: rinrinne Path: src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/IGerritHudsonTriggerConfig.java src/main/resources/com/sonyericsson/hudson/plugins/gerrit/trigger/GerritServer/index.jelly src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/ConfigTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/mock/MockGerritHudsonTriggerConfig.java http://jenkins-ci.org/commit/gerrit-trigger-plugin/d402536e48c300aa435c3f3e519e7754fc769ecf Log: Prevent to send plaintext password to browser Fix for JENKINS-23165 and pull #157

Assignee:: rsandell

Reporter:: Jesse Glick

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2014-05-23 11:22

Updated:: 2014-06-03 01:19

Resolved:: 2014-06-03 01:19

Jenkins

Details

Description

Attachments

Activity

Collapse comment: rin_ne added a comment - 2014-05-26 13:55, Edited by rin_ne - 2014-05-27 08:44

Expand comment: rin_ne added a comment - 2014-05-26 13:55, Edited by rin_ne - 2014-05-27 08:44

Collapse comment: rin_ne added a comment - 2014-05-27 10:05

Expand comment: rin_ne added a comment - 2014-05-27 10:05

Collapse comment: SCM/JIRA link daemon added a comment - 2014-05-27 12:19

Expand comment: SCM/JIRA link daemon added a comment - 2014-05-27 12:19

Collapse comment: Jesse Glick added a comment - 2014-05-27 15:52

Expand comment: Jesse Glick added a comment - 2014-05-27 15:52

Collapse comment: rin_ne added a comment - 2014-05-28 02:54

Expand comment: rin_ne added a comment - 2014-05-28 02:54

Collapse comment: SCM/JIRA link daemon added a comment - 2014-06-02 14:15

Expand comment: SCM/JIRA link daemon added a comment - 2014-06-02 14:15

People

Dates