Details
-
Improvement
-
Status: Resolved (View Workflow)
-
Minor
-
Resolution: Fixed
-
None
-
Jenkins >= 1.545
Description
Plugins could reject configurations via REST and CLI in Jenkins < 1.545 by throwing exceptions in readResolve.
Authorize Project plugin performs authentications with this behavior.
Jenkins 1.545 suppresses exceptions in readResolve in JENKINS-21024 (also backported to Jenkins 1.532.3).
This results that throwing exceptions in readResolve prevents reading configurations into memories via REST / CLI but cannot prevents saving them to the disk.
Authorize-project doesn't perform authentications when Jenkins reads configurations from the disk and allows bypassing authentications.
Jenkins 1.551 introduced XStream2#addCriticalField in SECURITY-107 (also backported to Jenkins 1.532.2) which triggers critical errors by exceptions in readResolve but only applied to system configurations, not applied project configurations via REST / CLI. (Exceptions are suppressed in CopyOnWriteList)
Jenkins should provides a way for plugins to reject configurations via REST / CLI.
Attachments
Issue Links
- is blocking
-
JENKINS-28298 Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1
-
- Closed
-
- is related to
-
-
- Resolved
-
Activity
Code changed in jenkins
User: ikedam
Path:
core/src/main/java/jenkins/util/xstream/CriticalXStreamException.java
http://jenkins-ci.org/commit/jenkins/d6f9c5cdde8b80a40d3ce65f716099621c0ae9ce
Log:
JENKINS-28440 Added @since for CriticalXStreamException.
Code changed in jenkins
User: ikedam
Path:
test/src/test/java/hudson/util/RobustReflectionConverterTest.java
http://jenkins-ci.org/commit/jenkins/0d54d89a367e5b3de3bde6fcc590ba6bedbfa82e
Log:
JENKINS-28440 Uses CLICommandInvoker in tests.
Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/jenkins/util/xstream/CriticalXStreamException.java
test/src/test/java/hudson/util/RobustReflectionConverterTest.java
http://jenkins-ci.org/commit/jenkins/69a98484c8a879fef9532e68670e72f5d74267b7
Log:
Merge pull request #1811 from ikedam/feature/JENKINS-28440_AdditionalFix
JENKINS-28440 Additional fixes for #1715
Compare: https://github.com/jenkinsci/jenkins/compare/bc2ad1b992d1...69a98484c8a8
Integrated in 
jenkins_main_trunk #4273
JENKINS-28440 Added @since for CriticalXStreamException. (Revision d6f9c5cdde8b80a40d3ce65f716099621c0ae9ce)
JENKINS-28440 Uses CLICommandInvoker in tests. (Revision 0d54d89a367e5b3de3bde6fcc590ba6bedbfa82e)
Result = SUCCESS
devld : d6f9c5cdde8b80a40d3ce65f716099621c0ae9ce
Files :
- core/src/main/java/jenkins/util/xstream/CriticalXStreamException.java
devld : 0d54d89a367e5b3de3bde6fcc590ba6bedbfa82e
Files :
- test/src/test/java/hudson/util/RobustReflectionConverterTest.java
Integrated in
jenkins_main_trunk #4250
JENKINS-28440Added tests to reproduce and explainJENKINS-28440. (Revision be67b45a31f2987dd20cdbdfd4b4997f5250d66f)[FIXED JENKINS-28440] Raises a critical exception for an error in a critical field. This allows plugins to reject unacceptable configurations via REST / CLI. (Revision 2082b08e2a0e54856370af9e3dda342475dff334)
JENKINS-28440Updates tests forJENKINS-28440to verify behaviors of UI. (Revision 7958928aedab9695379f17e6462f8b8236910497)Result = SUCCESS
devld : be67b45a31f2987dd20cdbdfd4b4997f5250d66f
Files :
devld : 2082b08e2a0e54856370af9e3dda342475dff334
Files :
devld : 7958928aedab9695379f17e6462f8b8236910497
Files :