Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35503

Slack plugin reveals integration token

    XMLWordPrintable

Details

    Description

      The Slack plugin reveals the integration token in the global configuration. In environments when many people have access to view the global configuration, this presents a security vulnerability since the token appears to give access to quite a bit of the Slack instance (though it's not entirely clear where that's configured).

      Attachments

        Issue Links

          Activity

            jglick Jesse Glick added a comment -

            SlackNotifier.DescriptorImpl.token, SlackNotifier.authToken, and SlackSendStep.token store what appears to be an authentication token in plaintext. This is a serious bug.

            The short fix is to change SlackNotifier.DescriptorImpl.token to use Secret and f:password, delete SlackSendStep.token (without JENKINS-27386 there is no safe way to use it), and preferably delete SlackNotifier.authToken as well.

            The better fix is to update the plugin to use the credentials API and thus store only String credentialsId (cf. JENKINS-27398 for the case of SlackSendStep).

            jglick Jesse Glick added a comment - SlackNotifier.DescriptorImpl.token , SlackNotifier.authToken , and SlackSendStep.token store what appears to be an authentication token in plaintext. This is a serious bug. The short fix is to change SlackNotifier.DescriptorImpl.token to use Secret and f:password , delete SlackSendStep.token (without JENKINS-27386 there is no safe way to use it), and preferably delete SlackNotifier.authToken as well. The better fix is to update the plugin to use the credentials API and thus store only String credentialsId (cf. JENKINS-27398 for the case of SlackSendStep ).
            kmadel Kurt Madel added a comment -

            There is a PR to integrate with credentials but still a bit of work to do.

            kmadel Kurt Madel added a comment - There is a PR to integrate with credentials but still a bit of work to do.
            kmadel Kurt Madel added a comment -

            One more note, in regards to the Pipeline step - you may use the

            withCredentials

            wrapper - see https://jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables

            kmadel Kurt Madel added a comment - One more note, in regards to the Pipeline step - you may use the withCredentials wrapper - see https://jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables
            jglick Jesse Glick added a comment -

            Do not use withCredentials for this purpose as the argument will temporarily be in plaintext, which could lead to vulnerabilities depending on circumstances.

            jglick Jesse Glick added a comment - Do not use withCredentials for this purpose as the argument will temporarily be in plaintext, which could lead to vulnerabilities depending on circumstances.
            kmadel Kurt Madel added a comment -

            See https://github.com/jenkinsci/slack-plugin/pull/247 for initial fix. Still allows users to expose auth token but provides highly visible warning.

            kmadel Kurt Madel added a comment - See https://github.com/jenkinsci/slack-plugin/pull/247 for initial fix. Still allows users to expose auth token but provides highly visible warning.

            Code changed in jenkins
            User: Kurt Madel
            Path:
            README.md
            pom.xml
            src/main/java/jenkins/plugins/slack/SlackNotifier.java
            src/main/java/jenkins/plugins/slack/StandardSlackService.java
            src/main/java/jenkins/plugins/slack/workflow/SlackSendStep.java
            src/main/resources/jenkins/plugins/slack/SlackNotifier/config.jelly
            src/main/resources/jenkins/plugins/slack/SlackNotifier/global.jelly
            src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/config.jelly
            src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/help-tokenCredentialId.html
            src/main/webapp/help-globalConfig-tokenCredentialId.html
            src/main/webapp/help-projectConfig-slackTokenCredentialId.html
            src/test/java/jenkins/plugins/slack/SlackNotifierStub.java
            src/test/java/jenkins/plugins/slack/SlackNotifierTest.java
            src/test/java/jenkins/plugins/slack/StandardSlackServiceStub.java
            src/test/java/jenkins/plugins/slack/StandardSlackServiceTest.java
            src/test/java/jenkins/plugins/slack/workflow/SlackSendStepIntegrationTest.java
            src/test/java/jenkins/plugins/slack/workflow/SlackSendStepTest.java
            http://jenkins-ci.org/commit/slack-plugin/40a0ac49e279fb2956f349143725023baaf10cca
            Log:
            Merge pull request #247 from kmadel/pr-208

            Add Credentials Support with credentials select widget JENKINS-35503

            Compare: https://github.com/jenkinsci/slack-plugin/compare/e568a98e4fbe...40a0ac49e279

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kurt Madel Path: README.md pom.xml src/main/java/jenkins/plugins/slack/SlackNotifier.java src/main/java/jenkins/plugins/slack/StandardSlackService.java src/main/java/jenkins/plugins/slack/workflow/SlackSendStep.java src/main/resources/jenkins/plugins/slack/SlackNotifier/config.jelly src/main/resources/jenkins/plugins/slack/SlackNotifier/global.jelly src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/config.jelly src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/help-tokenCredentialId.html src/main/webapp/help-globalConfig-tokenCredentialId.html src/main/webapp/help-projectConfig-slackTokenCredentialId.html src/test/java/jenkins/plugins/slack/SlackNotifierStub.java src/test/java/jenkins/plugins/slack/SlackNotifierTest.java src/test/java/jenkins/plugins/slack/StandardSlackServiceStub.java src/test/java/jenkins/plugins/slack/StandardSlackServiceTest.java src/test/java/jenkins/plugins/slack/workflow/SlackSendStepIntegrationTest.java src/test/java/jenkins/plugins/slack/workflow/SlackSendStepTest.java http://jenkins-ci.org/commit/slack-plugin/40a0ac49e279fb2956f349143725023baaf10cca Log: Merge pull request #247 from kmadel/pr-208 Add Credentials Support with credentials select widget JENKINS-35503 Compare: https://github.com/jenkinsci/slack-plugin/compare/e568a98e4fbe...40a0ac49e279
            kmadel Kurt Madel added a comment -

            slack 2.1

            kmadel Kurt Madel added a comment - slack 2.1

            People

              kmadel Kurt Madel
              dom Dominic Hargreaves
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: