[JENKINS-28298] Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1

ikedam added a comment - 2015-05-10 01:46

Instructions to reproduce the problem are written in ~~JENKINS-22469~~.

REST API

Returns HTTP status code 200.
No exceptions are logged in the system log.
The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page).
But the new configuration is saved to the disk.
When restarting Jenkins you can active the new configuration.

CLI

The command exits with 0.
No exceptions are logged in the system log.
The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page).
But the new configuration is saved to the disk.
When restarting Jenkins you can active the new configuration.

ikedam added a comment - 2015-05-10 01:46 Instructions to reproduce the problem are written in JENKINS-22469 . REST API Returns HTTP status code 200. No exceptions are logged in the system log. The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page). But the new configuration is saved to the disk. When restarting Jenkins you can active the new configuration. CLI The command exits with 0. No exceptions are logged in the system log. The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page). But the new configuration is saved to the disk. When restarting Jenkins you can active the new configuration.

ikedam added a comment - 2015-05-10 02:33

Jenkins version	Test result
1.532	Success
1.543	Success
1.544	Success
1.545	Faulure
1.548	Failure
1.554	Failure

ikedam added a comment - 2015-05-10 02:33 Jenkins version Test result 1.532 Success 1.543 Success 1.544 Success 1.545 Faulure 1.548 Failure 1.554 Failure

ikedam added a comment - 2015-05-10 02:33

Might be broken for ~~JENKINS-21024~~.
It is also ported to Jenkins-1.532.3.

ikedam added a comment - 2015-05-10 02:33 Might be broken for JENKINS-21024 . It is also ported to Jenkins-1.532.3.

ikedam added a comment - 2015-05-11 23:09 - edited

RobustReflectionConverter#addCriticalField introduced in SECURITY-107, 622e39f, Jenkins 1.551 (and backported to 1.532.2) will help me.

ikedam added a comment - 2015-05-11 23:09 - edited RobustReflectionConverter#addCriticalField introduced in SECURITY-107, 622e39f , Jenkins 1.551 (and backported to 1.532.2) will help me.

ikedam added a comment - 2015-05-14 22:13

Even I set the field critical, RobustReflectionConverter gets to throw an exception but CopyOnWriteList squashes the exception.
c350811

ikedam added a comment - 2015-05-14 22:13 Even I set the field critical, RobustReflectionConverter gets to throw an exception but CopyOnWriteList squashes the exception. c350811

ikedam added a comment - 2015-05-17 00:32

Throwing RuntimeException or Error don't help. Any exceptions are wrapped with InvocationTargetException by Java reflection and wrapped with XStreamException by xstream.

ikedam added a comment - 2015-05-17 00:32 Throwing RuntimeException or Error don't help. Any exceptions are wrapped with InvocationTargetException by Java reflection and wrapped with XStreamException by xstream.

ikedam added a comment - 2015-06-25 23:25

I'll introduce a feature like https://wiki.jenkins-ci.org/display/JENKINS/Extensible+Choice+Parameter+plugin#ExtensibleChoiceParameterplugin-Disablingproviders

ikedam added a comment - 2015-06-25 23:25 I'll introduce a feature like https://wiki.jenkins-ci.org/display/JENKINS/Extensible+Choice+Parameter+plugin#ExtensibleChoiceParameterplugin-Disablingproviders

SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly
http://jenkins-ci.org/commit/authorize-project-plugin/4bc59e08925e3ea63033681c1c461428c69ed098
Log:
~~JENKINS-28298~~ Added a feature to enable / disable strategies. Implemented only the configuration page, not yet execution time check.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41 Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/4bc59e08925e3ea63033681c1c461428c69ed098 Log: JENKINS-28298 Added a feature to enable / disable strategies. Implemented only the configuration page, not yet execution time check.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
http://jenkins-ci.org/commit/authorize-project-plugin/369cb1011903edc7c67f78afaf30204b1520ea61
Log:
~~JENKINS-28298~~ Saves enabled / disabled configuration to the disk.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41 Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java http://jenkins-ci.org/commit/authorize-project-plugin/369cb1011903edc7c67f78afaf30204b1520ea61 Log: JENKINS-28298 Saves enabled / disabled configuration to the disk.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly
http://jenkins-ci.org/commit/authorize-project-plugin/b22196085641ee3b3a80bbe08bbeff0c68e0df61
Log:
~~JENKINS-28298~~ Displays only enabled strategies in project configuration pages.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41 Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/b22196085641ee3b3a80bbe08bbeff0c68e0df61 Log: JENKINS-28298 Displays only enabled strategies in project configuration pages.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java
http://jenkins-ci.org/commit/authorize-project-plugin/5a5d514a20b79839a76d4d5f5a6a90520aaa1f5c
Log:
~~JENKINS-28298~~ Doesn't authorize with strategies disabled in global-security configuration.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41 Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java http://jenkins-ci.org/commit/authorize-project-plugin/5a5d514a20b79839a76d4d5f5a6a90520aaa1f5c Log: JENKINS-28298 Doesn't authorize with strategies disabled in global-security configuration.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Code changed in jenkins
User: ikedam
Path:
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly
http://jenkins-ci.org/commit/authorize-project-plugin/396f3ea71966eeb309d73d3c829510572fb5843d
Log:
~~JENKINS-28298~~ Added tests for disabling strategies.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41 Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/396f3ea71966eeb309d73d3c829510572fb5843d Log: JENKINS-28298 Added tests for disabling strategies.

SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly
src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java
src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly
http://jenkins-ci.org/commit/authorize-project-plugin/34ab30783ea9fb9659f38d86f90956664de3349d
Log:
Merge pull request #10 from ikedam/feature/~~JENKINS-28298~~_WorkaroundForAuthenticationBypass

~~JENKINS-28298~~ Administrators can disable specific strategies

Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/9365f685c1fb...34ab30783ea9

SCM/JIRA link daemon added a comment - 2015-08-02 21:41 Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/34ab30783ea9fb9659f38d86f90956664de3349d Log: Merge pull request #10 from ikedam/feature/ JENKINS-28298 _WorkaroundForAuthenticationBypass JENKINS-28298 Administrators can disable specific strategies Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/9365f685c1fb...34ab30783ea9

ikedam added a comment - 2015-08-09 00:29

Disabling strategies are introduced in authorize-project-1.1.0.

ikedam added a comment - 2015-08-09 00:29 Disabling strategies are introduced in authorize-project-1.1.0.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Code changed in jenkins
User: ikedam
Path:
pom.xml
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1
Log:
~~JENKINS-28298~~ Targets Jenkins-1.625.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04 Code changed in jenkins User: ikedam Path: pom.xml src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1 Log: JENKINS-28298 Targets Jenkins-1.625.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Code changed in jenkins
User: ikedam
Path:
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f
Log:
~~JENKINS-28298~~ Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04 Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f Log: JENKINS-28298 Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Code changed in jenkins
User: ikedam
Path:
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143
Log:
[FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04 Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143 Log: [FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.

SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Code changed in jenkins
User: ikedam
Path:
pom.xml
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java
src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4
Log:
Merge pull request #21 from ikedam/feature/~~JENKINS-28298~~_addCriticalField

~~JENKINS-28298~~ Reject unauthenticated configurations via REST / CLI

Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231

SCM/JIRA link daemon added a comment - 2016-03-27 03:04 Code changed in jenkins User: ikedam Path: pom.xml src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4 Log: Merge pull request #21 from ikedam/feature/ JENKINS-28298 _addCriticalField JENKINS-28298 Reject unauthenticated configurations via REST / CLI Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231

ikedam added a comment - 2016-03-27 04:14

Fixed in authorize-project-1.2.0.
It will be available in the update center in a day.

ikedam added a comment - 2016-03-27 04:14 Fixed in authorize-project-1.2.0. It will be available in the update center in a day.

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: ikedam added a comment - 2015-05-10 01:46

Expand comment: ikedam added a comment - 2015-05-10 01:46

Collapse comment: ikedam added a comment - 2015-05-10 02:33

Expand comment: ikedam added a comment - 2015-05-10 02:33

Collapse comment: ikedam added a comment - 2015-05-10 02:33

Expand comment: ikedam added a comment - 2015-05-10 02:33

Collapse comment: ikedam added a comment - 2015-05-11 23:09, Edited by ikedam - 2015-05-11 23:19

Expand comment: ikedam added a comment - 2015-05-11 23:09, Edited by ikedam - 2015-05-11 23:19

Collapse comment: ikedam added a comment - 2015-05-14 22:13

Expand comment: ikedam added a comment - 2015-05-14 22:13

Collapse comment: ikedam added a comment - 2015-05-17 00:32

Expand comment: ikedam added a comment - 2015-05-17 00:32

Collapse comment: ikedam added a comment - 2015-06-25 23:25

Expand comment: ikedam added a comment - 2015-06-25 23:25

Collapse comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Expand comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Collapse comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Expand comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Collapse comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Expand comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Collapse comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Expand comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Collapse comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Expand comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Collapse comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Expand comment: SCM/JIRA link daemon added a comment - 2015-08-02 21:41

Collapse comment: ikedam added a comment - 2015-08-09 00:29

Expand comment: ikedam added a comment - 2015-08-09 00:29

Collapse comment: SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Expand comment: SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Collapse comment: SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Expand comment: SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Collapse comment: SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Expand comment: SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Collapse comment: SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Expand comment: SCM/JIRA link daemon added a comment - 2016-03-27 03:04

Collapse comment: ikedam added a comment - 2016-03-27 04:14

Expand comment: ikedam added a comment - 2016-03-27 04:14

People

Dates