[JENKINS-23475] Can bypass permission check of CopyArtifact with WebAPI/CLI - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: copyartifact-plugin
Labels:
None
Environment:
Copyartifact 1.30

Similar Issues:

Show
Released As:
https://github.com/jenkinsci/copyartifact-plugin/blob/master/CHANGELOG.adoc#144

Description

When specifying a project name to copy artifacts from without a variable, permission check is performed at configuration time.
That check is performed in the constructor of CopyArtifact, and can be bypassed using WebAPI, which does not trigger the constructor (triggers readResolve instead).

update: can be bypassed also with CLI.

Attachments

Issue Links

is related to

JENKINS-28247 Can bypass permission check of CopyArtifact with WorkflowJob

Closed

JENKINS-24888 Complete runtime permission check of Copyartifact

Closed

Activity

Ascending order - Click to sort in descending order

ikedam added a comment - 2014-06-17 23:39

I noticed this problem reviewing codes, and have not tested reproducing yet.
I have to write a test code to reproduce this first.

ikedam added a comment - 2014-06-17 23:39 I noticed this problem reviewing codes, and have not tested reproducing yet. I have to write a test code to reproduce this first.

ikedam added a comment - 2014-06-19 00:26

https://github.com/jenkinsci/copyartifact-plugin/pull/41

ikedam added a comment - 2014-06-19 00:26 https://github.com/jenkinsci/copyartifact-plugin/pull/41

ikedam added a comment - 2020-05-23 00:55

Fixed in SECURITY-988

ikedam added a comment - 2020-05-23 00:55 Fixed in SECURITY-988

People

Assignee:: ikedam

Reporter:: ikedam

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2014-06-17 23:34

Updated:: 2020-05-23 00:56

Resolved:: 2020-05-23 00:55