[JENKINS-28298] Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: authorize-project-plugin
Labels:
None
Environment:
Jenkins 1.580.1
authorize-project 1.0.3

Similar Issues:
Powered by SuggestiMate

Show

When running tests of authorize-project with Jenkins 1.580.1, tests failed as following:

SpecificUsersAuthorizationStrategyTest.testCliFailure:689 Values should be different. Actual: 0
SpecificUsersAuthorizationStrategyTest.testRestInterfaceFailure:525 null

This might mean you can bypass the security checks of authorize-project.

depends on

JENKINS-28440 Allow to reject specific configurations via REST and CLI

Resolved

is related to

JENKINS-22469 SpecificUsersAuthorizationStrategy easily bypassed by REST/CLI

Closed

ikedam created issue - 2015-05-07 22:23

ikedam made changes - 2015-05-10 00:55

Link

New: This issue is related to ~~JENKINS-22469~~ [ ~~JENKINS-22469~~ ]

ikedam added a comment - 2015-05-10 01:46

Instructions to reproduce the problem are written in ~~JENKINS-22469~~.

REST API

Returns HTTP status code 200.
No exceptions are logged in the system log.
The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page).
But the new configuration is saved to the disk.
When restarting Jenkins you can active the new configuration.

CLI

The command exits with 0.
No exceptions are logged in the system log.
The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page).
But the new configuration is saved to the disk.
When restarting Jenkins you can active the new configuration.

ikedam added a comment - 2015-05-10 01:46 Instructions to reproduce the problem are written in JENKINS-22469 . REST API Returns HTTP status code 200. No exceptions are logged in the system log. The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page). But the new configuration is saved to the disk. When restarting Jenkins you can active the new configuration. CLI The command exits with 0. No exceptions are logged in the system log. The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page). But the new configuration is saved to the disk. When restarting Jenkins you can active the new configuration.

ikedam added a comment - 2015-05-10 02:33

Jenkins version	Test result
1.532	Success
1.543	Success
1.544	Success
1.545	Faulure
1.548	Failure
1.554	Failure

ikedam added a comment - 2015-05-10 02:33 Jenkins version Test result 1.532 Success 1.543 Success 1.544 Success 1.545 Faulure 1.548 Failure 1.554 Failure

ikedam added a comment - 2015-05-10 02:33

Might be broken for ~~JENKINS-21024~~.
It is also ported to Jenkins-1.532.3.

ikedam added a comment - 2015-05-10 02:33 Might be broken for JENKINS-21024 . It is also ported to Jenkins-1.532.3.

ikedam added a comment - 2015-05-11 23:09 - edited

RobustReflectionConverter#addCriticalField introduced in SECURITY-107, 622e39f, Jenkins 1.551 (and backported to 1.532.2) will help me.

ikedam added a comment - 2015-05-11 23:09 - edited RobustReflectionConverter#addCriticalField introduced in SECURITY-107, 622e39f , Jenkins 1.551 (and backported to 1.532.2) will help me.

ikedam added a comment - 2015-05-14 22:13

Even I set the field critical, RobustReflectionConverter gets to throw an exception but CopyOnWriteList squashes the exception.
c350811

ikedam added a comment - 2015-05-14 22:13 Even I set the field critical, RobustReflectionConverter gets to throw an exception but CopyOnWriteList squashes the exception. c350811

ikedam added a comment - 2015-05-17 00:32

Throwing RuntimeException or Error don't help. Any exceptions are wrapped with InvocationTargetException by Java reflection and wrapped with XStreamException by xstream.

ikedam added a comment - 2015-05-17 00:32 Throwing RuntimeException or Error don't help. Any exceptions are wrapped with InvocationTargetException by Java reflection and wrapped with XStreamException by xstream.

ikedam made changes - 2015-05-17 00:55

Link

New: This issue depends on ~~JENKINS-28440~~ [ ~~JENKINS-28440~~ ]

ikedam added a comment - 2015-06-25 23:25

I'll introduce a feature like https://wiki.jenkins-ci.org/display/JENKINS/Extensible+Choice+Parameter+plugin#ExtensibleChoiceParameterplugin-Disablingproviders

ikedam added a comment - 2015-06-25 23:25 I'll introduce a feature like https://wiki.jenkins-ci.org/display/JENKINS/Extensible+Choice+Parameter+plugin#ExtensibleChoiceParameterplugin-Disablingproviders

Assignee:: ikedam

Reporter:: ikedam

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2015-05-07 22:23

Updated:: 2016-03-27 04:14

Resolved:: 2016-03-27 03:04

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: ikedam added a comment - 2015-05-10 01:46

Expand comment: ikedam added a comment - 2015-05-10 01:46

Collapse comment: ikedam added a comment - 2015-05-10 02:33

Expand comment: ikedam added a comment - 2015-05-10 02:33

Collapse comment: ikedam added a comment - 2015-05-10 02:33

Expand comment: ikedam added a comment - 2015-05-10 02:33

Collapse comment: ikedam added a comment - 2015-05-11 23:09, Edited by ikedam - 2015-05-11 23:19

Expand comment: ikedam added a comment - 2015-05-11 23:09, Edited by ikedam - 2015-05-11 23:19

Collapse comment: ikedam added a comment - 2015-05-14 22:13

Expand comment: ikedam added a comment - 2015-05-14 22:13

Collapse comment: ikedam added a comment - 2015-05-17 00:32

Expand comment: ikedam added a comment - 2015-05-17 00:32

Collapse comment: ikedam added a comment - 2015-06-25 23:25

Expand comment: ikedam added a comment - 2015-06-25 23:25

People

Dates