Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28298

Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1

    XMLWordPrintable

Details

    Description

      When running tests of authorize-project with Jenkins 1.580.1, tests failed as following:

      SpecificUsersAuthorizationStrategyTest.testCliFailure:689 Values should be different. Actual: 0
      SpecificUsersAuthorizationStrategyTest.testRestInterfaceFailure:525 null
      

      This might mean you can bypass the security checks of authorize-project.

      Attachments

        Issue Links

          Activity

            ikedam ikedam created issue -
            ikedam ikedam made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-22469 [ JENKINS-22469 ]
            ikedam ikedam added a comment -

            Instructions to reproduce the problem are written in JENKINS-22469.

            REST API

            • Returns HTTP status code 200.
            • No exceptions are logged in the system log.
            • The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page).
            • But the new configuration is saved to the disk.
            • When restarting Jenkins you can active the new configuration.

            CLI

            • The command exits with 0.
            • No exceptions are logged in the system log.
            • The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page).
            • But the new configuration is saved to the disk.
            • When restarting Jenkins you can active the new configuration.
            ikedam ikedam added a comment - Instructions to reproduce the problem are written in JENKINS-22469 . REST API Returns HTTP status code 200. No exceptions are logged in the system log. The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page). But the new configuration is saved to the disk. When restarting Jenkins you can active the new configuration. CLI The command exits with 0. No exceptions are logged in the system log. The updated configuration is not loaded into the memory (authorization configuration gets empty in the configuration page). But the new configuration is saved to the disk. When restarting Jenkins you can active the new configuration.
            ikedam ikedam added a comment -
            Jenkins version Test result
            1.532 Success
            1.543 Success
            1.544 Success
            1.545 Faulure
            1.548 Failure
            1.554 Failure
            ikedam ikedam added a comment - Jenkins version Test result 1.532 Success 1.543 Success 1.544 Success 1.545 Faulure 1.548 Failure 1.554 Failure
            ikedam ikedam added a comment -

            Might be broken for JENKINS-21024.
            It is also ported to Jenkins-1.532.3.

            ikedam ikedam added a comment - Might be broken for JENKINS-21024 . It is also ported to Jenkins-1.532.3.
            ikedam ikedam added a comment - - edited

            RobustReflectionConverter#addCriticalField introduced in SECURITY-107, 622e39f, Jenkins 1.551 (and backported to 1.532.2) will help me.

            ikedam ikedam added a comment - - edited RobustReflectionConverter#addCriticalField introduced in SECURITY-107, 622e39f , Jenkins 1.551 (and backported to 1.532.2) will help me.
            ikedam ikedam added a comment -

            Even I set the field critical, RobustReflectionConverter gets to throw an exception but CopyOnWriteList squashes the exception.
            c350811

            ikedam ikedam added a comment - Even I set the field critical, RobustReflectionConverter gets to throw an exception but CopyOnWriteList squashes the exception. c350811
            ikedam ikedam added a comment -

            Throwing RuntimeException or Error don't help. Any exceptions are wrapped with InvocationTargetException by Java reflection and wrapped with XStreamException by xstream.

            ikedam ikedam added a comment - Throwing RuntimeException or Error don't help. Any exceptions are wrapped with InvocationTargetException by Java reflection and wrapped with XStreamException by xstream.
            ikedam ikedam made changes -
            Link This issue depends on JENKINS-28440 [ JENKINS-28440 ]
            ikedam ikedam added a comment - I'll introduce a feature like https://wiki.jenkins-ci.org/display/JENKINS/Extensible+Choice+Parameter+plugin#ExtensibleChoiceParameterplugin-Disablingproviders

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly
            http://jenkins-ci.org/commit/authorize-project-plugin/4bc59e08925e3ea63033681c1c461428c69ed098
            Log:
            JENKINS-28298 Added a feature to enable / disable strategies. Implemented only the configuration page, not yet execution time check.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/4bc59e08925e3ea63033681c1c461428c69ed098 Log: JENKINS-28298 Added a feature to enable / disable strategies. Implemented only the configuration page, not yet execution time check.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
            http://jenkins-ci.org/commit/authorize-project-plugin/369cb1011903edc7c67f78afaf30204b1520ea61
            Log:
            JENKINS-28298 Saves enabled / disabled configuration to the disk.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java http://jenkins-ci.org/commit/authorize-project-plugin/369cb1011903edc7c67f78afaf30204b1520ea61 Log: JENKINS-28298 Saves enabled / disabled configuration to the disk.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
            src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly
            http://jenkins-ci.org/commit/authorize-project-plugin/b22196085641ee3b3a80bbe08bbeff0c68e0df61
            Log:
            JENKINS-28298 Displays only enabled strategies in project configuration pages.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/b22196085641ee3b3a80bbe08bbeff0c68e0df61 Log: JENKINS-28298 Displays only enabled strategies in project configuration pages.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
            src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java
            http://jenkins-ci.org/commit/authorize-project-plugin/5a5d514a20b79839a76d4d5f5a6a90520aaa1f5c
            Log:
            JENKINS-28298 Doesn't authorize with strategies disabled in global-security configuration.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java http://jenkins-ci.org/commit/authorize-project-plugin/5a5d514a20b79839a76d4d5f5a6a90520aaa1f5c Log: JENKINS-28298 Doesn't authorize with strategies disabled in global-security configuration.

            Code changed in jenkins
            User: ikedam
            Path:
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly
            http://jenkins-ci.org/commit/authorize-project-plugin/396f3ea71966eeb309d73d3c829510572fb5843d
            Log:
            JENKINS-28298 Added tests for disabling strategies.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/396f3ea71966eeb309d73d3c829510572fb5843d Log: JENKINS-28298 Added tests for disabling strategies.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly
            src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
            src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java
            src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly
            http://jenkins-ci.org/commit/authorize-project-plugin/34ab30783ea9fb9659f38d86f90956664de3349d
            Log:
            Merge pull request #10 from ikedam/feature/JENKINS-28298_WorkaroundForAuthenticationBypass

            JENKINS-28298 Administrators can disable specific strategies

            Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/9365f685c1fb...34ab30783ea9

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty/config.jelly src/main/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticator/config.jelly src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/AuthorizeProjectJenkinsRule.java src/test/resources/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest/NullAuthorizeProjectStrategy/config.jelly http://jenkins-ci.org/commit/authorize-project-plugin/34ab30783ea9fb9659f38d86f90956664de3349d Log: Merge pull request #10 from ikedam/feature/ JENKINS-28298 _WorkaroundForAuthenticationBypass JENKINS-28298 Administrators can disable specific strategies Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/9365f685c1fb...34ab30783ea9
            ikedam ikedam added a comment -

            Disabling strategies are introduced in authorize-project-1.1.0.

            ikedam ikedam added a comment - Disabling strategies are introduced in authorize-project-1.1.0.

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1
            Log:
            JENKINS-28298 Targets Jenkins-1.625.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1 Log: JENKINS-28298 Targets Jenkins-1.625.

            Code changed in jenkins
            User: ikedam
            Path:
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f
            Log:
            JENKINS-28298 Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f Log: JENKINS-28298 Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
            http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143
            Log:
            [FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143 Log: [FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.
            scm_issue_link SCM/JIRA link daemon made changes -
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Resolved [ 5 ]

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4
            Log:
            Merge pull request #21 from ikedam/feature/JENKINS-28298_addCriticalField

            JENKINS-28298 Reject unauthenticated configurations via REST / CLI

            Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4 Log: Merge pull request #21 from ikedam/feature/ JENKINS-28298 _addCriticalField JENKINS-28298 Reject unauthenticated configurations via REST / CLI Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231
            ikedam ikedam added a comment -

            Fixed in authorize-project-1.2.0.
            It will be available in the update center in a day.

            ikedam ikedam added a comment - Fixed in authorize-project-1.2.0. It will be available in the update center in a day.
            ikedam ikedam made changes -
            Status Resolved [ 5 ] Closed [ 6 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 163133 ] JNJira + In-Review [ 208751 ]

            People

              ikedam ikedam
              ikedam ikedam
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: