Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23475

Can bypass permission check of CopyArtifact with WebAPI/CLI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • copyartifact-plugin
    • None
    • Copyartifact 1.30

      When specifying a project name to copy artifacts from without a variable, permission check is performed at configuration time.
      That check is performed in the constructor of CopyArtifact, and can be bypassed using WebAPI, which does not trigger the constructor (triggers readResolve instead).

      update: can be bypassed also with CLI.

          [JENKINS-23475] Can bypass permission check of CopyArtifact with WebAPI/CLI

          ikedam added a comment -

          I noticed this problem reviewing codes, and have not tested reproducing yet.
          I have to write a test code to reproduce this first.

          ikedam added a comment - I noticed this problem reviewing codes, and have not tested reproducing yet. I have to write a test code to reproduce this first.

          ikedam added a comment -

          https://github.com/jenkinsci/copyartifact-plugin/pull/41

          ikedam added a comment - https://github.com/jenkinsci/copyartifact-plugin/pull/41

          ikedam added a comment -

          Fixed in SECURITY-988

          ikedam added a comment - Fixed in SECURITY-988

            ikedam ikedam
            ikedam ikedam
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: