[JENKINS-28298] Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1 - Jenkins Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: authorize-project-plugin
Labels:
None
Environment:
Jenkins 1.580.1
authorize-project 1.0.3

Similar Issues:

Show

Description

When running tests of authorize-project with Jenkins 1.580.1, tests failed as following:

SpecificUsersAuthorizationStrategyTest.testCliFailure:689 Values should be different. Actual: 0
SpecificUsersAuthorizationStrategyTest.testRestInterfaceFailure:525 null

This might mean you can bypass the security checks of authorize-project.

Attachments

Issue Links

depends on

JENKINS-28440 Allow to reject specific configurations via REST and CLI

Resolved

is related to

JENKINS-22469 SpecificUsersAuthorizationStrategy easily bypassed by REST/CLI

Closed

Activity

Descending order - Click to sort in ascending order

ikedam added a comment - 2016-03-27 04:14

Fixed in authorize-project-1.2.0.
It will be available in the update center in a day.

ikedam added a comment - 2016-03-27 04:14 Fixed in authorize-project-1.2.0. It will be available in the update center in a day.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Code changed in jenkins
User: ikedam
Path:
pom.xml
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4
Log:
Merge pull request #21 from ikedam/feature/~~JENKINS-28298~~_addCriticalField

~~JENKINS-28298~~ Reject unauthenticated configurations via REST / CLI

Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231

SCM/JIRA link daemon added a comment - 2016-03-27 03:04 Code changed in jenkins User: ikedam Path: pom.xml src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4 Log: Merge pull request #21 from ikedam/feature/ JENKINS-28298 _addCriticalField JENKINS-28298 Reject unauthenticated configurations via REST / CLI Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231

SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143
Log:
[FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04 Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143 Log: [FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Code changed in jenkins
User: ikedam
Path:
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f
Log:
~~JENKINS-28298~~ Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04 Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f Log: JENKINS-28298 Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Code changed in jenkins
User: ikedam
Path:
pom.xml
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1
Log:
~~JENKINS-28298~~ Targets Jenkins-1.625.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04 Code changed in jenkins User: ikedam Path: pom.xml src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1 Log: JENKINS-28298 Targets Jenkins-1.625.

View 14 older comments

Jenkins

Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1

Details

Description

Attachments

Issue Links

Activity

People

Dates