Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28298

Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • None
    • Jenkins 1.580.1
      authorize-project 1.0.3

      When running tests of authorize-project with Jenkins 1.580.1, tests failed as following:

      SpecificUsersAuthorizationStrategyTest.testCliFailure:689 Values should be different. Actual: 0
      SpecificUsersAuthorizationStrategyTest.testRestInterfaceFailure:525 null
      

      This might mean you can bypass the security checks of authorize-project.

          [JENKINS-28298] Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1

          Code changed in jenkins
          User: ikedam
          Path:
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
          src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly
          http://jenkins-ci.org/commit/authorize-project-plugin/b22196085641ee3b3a80bbe08bbeff0c68e0df61
          Log:
          JENKINS-28298 Displays only enabled strategies in project configuration pages.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/b22196085641ee3b3a80bbe08bbeff0c68e0df61 Log: JENKINS-28298 Displays only enabled strategies in project configuration pages.

          Code changed in jenkins
          User: ikedam
          Path:
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java
          http://jenkins-ci.org/commit/authorize-project-plugin/5a5d514a20b79839a76d4d5f5a6a90520aaa1f5c
          Log:
          JENKINS-28298 Doesn't authorize with strategies disabled in global-security configuration.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java http://jenkins-ci.org/commit/authorize-project-plugin/5a5d514a20b79839a76d4d5f5a6a90520aaa1f5c Log: JENKINS-28298 Doesn't authorize with strategies disabled in global-security configuration.

          Code changed in jenkins
          User: ikedam
          Path:
          src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
          src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly
          http://jenkins-ci.org/commit/authorize-project-plugin/396f3ea71966eeb309d73d3c829510572fb5843d
          Log:
          JENKINS-28298 Added tests for disabling strategies.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/396f3ea71966eeb309d73d3c829510572fb5843d Log: JENKINS-28298 Added tests for disabling strategies.

          Code changed in jenkins
          User: ikedam
          Path:
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
          src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly
          src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly
          src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java
          src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly
          http://jenkins-ci.org/commit/authorize-project-plugin/34ab30783ea9fb9659f38d86f90956664de3349d
          Log:
          Merge pull request #10 from ikedam/feature/JENKINS-28298_WorkaroundForAuthenticationBypass

          JENKINS-28298 Administrators can disable specific strategies

          Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/9365f685c1fb...34ab30783ea9

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/34ab30783ea9fb9659f38d86f90956664de3349d Log: Merge pull request #10 from ikedam/feature/ JENKINS-28298 _WorkaroundForAuthenticationBypass JENKINS-28298 Administrators can disable specific strategies Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/9365f685c1fb...34ab30783ea9

          ikedam added a comment -

          Disabling strategies are introduced in authorize-project-1.1.0.

          ikedam added a comment - Disabling strategies are introduced in authorize-project-1.1.0.

          Code changed in jenkins
          User: ikedam
          Path:
          pom.xml
          src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
          http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1
          Log:
          JENKINS-28298 Targets Jenkins-1.625.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1 Log: JENKINS-28298 Targets Jenkins-1.625.

          Code changed in jenkins
          User: ikedam
          Path:
          src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
          http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f
          Log:
          JENKINS-28298 Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f Log: JENKINS-28298 Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

          Code changed in jenkins
          User: ikedam
          Path:
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
          http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143
          Log:
          [FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143 Log: [FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.

          Code changed in jenkins
          User: ikedam
          Path:
          pom.xml
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
          http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4
          Log:
          Merge pull request #21 from ikedam/feature/JENKINS-28298_addCriticalField

          JENKINS-28298 Reject unauthenticated configurations via REST / CLI

          Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4 Log: Merge pull request #21 from ikedam/feature/ JENKINS-28298 _addCriticalField JENKINS-28298 Reject unauthenticated configurations via REST / CLI Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231

          ikedam added a comment -

          Fixed in authorize-project-1.2.0.
          It will be available in the update center in a day.

          ikedam added a comment - Fixed in authorize-project-1.2.0. It will be available in the update center in a day.

            ikedam ikedam
            ikedam ikedam
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: