Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35503

Slack plugin reveals integration token

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The Slack plugin reveals the integration token in the global configuration. In environments when many people have access to view the global configuration, this presents a security vulnerability since the token appears to give access to quite a bit of the Slack instance (though it's not entirely clear where that's configured).

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            SlackNotifier.DescriptorImpl.token, SlackNotifier.authToken, and SlackSendStep.token store what appears to be an authentication token in plaintext. This is a serious bug.

            The short fix is to change SlackNotifier.DescriptorImpl.token to use Secret and f:password, delete SlackSendStep.token (without JENKINS-27386 there is no safe way to use it), and preferably delete SlackNotifier.authToken as well.

            The better fix is to update the plugin to use the credentials API and thus store only String credentialsId (cf. JENKINS-27398 for the case of SlackSendStep).

            Show
            jglick Jesse Glick added a comment - SlackNotifier.DescriptorImpl.token , SlackNotifier.authToken , and SlackSendStep.token store what appears to be an authentication token in plaintext. This is a serious bug. The short fix is to change SlackNotifier.DescriptorImpl.token to use Secret and f:password , delete SlackSendStep.token (without JENKINS-27386 there is no safe way to use it), and preferably delete SlackNotifier.authToken as well. The better fix is to update the plugin to use the credentials API and thus store only String credentialsId (cf. JENKINS-27398 for the case of SlackSendStep ).
            Hide
            kmadel Kurt Madel added a comment -

            There is a PR to integrate with credentials but still a bit of work to do.

            Show
            kmadel Kurt Madel added a comment - There is a PR to integrate with credentials but still a bit of work to do.
            Hide
            kmadel Kurt Madel added a comment -

            One more note, in regards to the Pipeline step - you may use the

            withCredentials

            wrapper - see https://jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables

            Show
            kmadel Kurt Madel added a comment - One more note, in regards to the Pipeline step - you may use the withCredentials wrapper - see https://jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables
            Hide
            jglick Jesse Glick added a comment -

            Do not use withCredentials for this purpose as the argument will temporarily be in plaintext, which could lead to vulnerabilities depending on circumstances.

            Show
            jglick Jesse Glick added a comment - Do not use withCredentials for this purpose as the argument will temporarily be in plaintext, which could lead to vulnerabilities depending on circumstances.
            Hide
            kmadel Kurt Madel added a comment -

            See https://github.com/jenkinsci/slack-plugin/pull/247 for initial fix. Still allows users to expose auth token but provides highly visible warning.

            Show
            kmadel Kurt Madel added a comment - See https://github.com/jenkinsci/slack-plugin/pull/247 for initial fix. Still allows users to expose auth token but provides highly visible warning.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kurt Madel
            Path:
            README.md
            pom.xml
            src/main/java/jenkins/plugins/slack/SlackNotifier.java
            src/main/java/jenkins/plugins/slack/StandardSlackService.java
            src/main/java/jenkins/plugins/slack/workflow/SlackSendStep.java
            src/main/resources/jenkins/plugins/slack/SlackNotifier/config.jelly
            src/main/resources/jenkins/plugins/slack/SlackNotifier/global.jelly
            src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/config.jelly
            src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/help-tokenCredentialId.html
            src/main/webapp/help-globalConfig-tokenCredentialId.html
            src/main/webapp/help-projectConfig-slackTokenCredentialId.html
            src/test/java/jenkins/plugins/slack/SlackNotifierStub.java
            src/test/java/jenkins/plugins/slack/SlackNotifierTest.java
            src/test/java/jenkins/plugins/slack/StandardSlackServiceStub.java
            src/test/java/jenkins/plugins/slack/StandardSlackServiceTest.java
            src/test/java/jenkins/plugins/slack/workflow/SlackSendStepIntegrationTest.java
            src/test/java/jenkins/plugins/slack/workflow/SlackSendStepTest.java
            http://jenkins-ci.org/commit/slack-plugin/40a0ac49e279fb2956f349143725023baaf10cca
            Log:
            Merge pull request #247 from kmadel/pr-208

            Add Credentials Support with credentials select widget JENKINS-35503

            Compare: https://github.com/jenkinsci/slack-plugin/compare/e568a98e4fbe...40a0ac49e279

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kurt Madel Path: README.md pom.xml src/main/java/jenkins/plugins/slack/SlackNotifier.java src/main/java/jenkins/plugins/slack/StandardSlackService.java src/main/java/jenkins/plugins/slack/workflow/SlackSendStep.java src/main/resources/jenkins/plugins/slack/SlackNotifier/config.jelly src/main/resources/jenkins/plugins/slack/SlackNotifier/global.jelly src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/config.jelly src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/help-tokenCredentialId.html src/main/webapp/help-globalConfig-tokenCredentialId.html src/main/webapp/help-projectConfig-slackTokenCredentialId.html src/test/java/jenkins/plugins/slack/SlackNotifierStub.java src/test/java/jenkins/plugins/slack/SlackNotifierTest.java src/test/java/jenkins/plugins/slack/StandardSlackServiceStub.java src/test/java/jenkins/plugins/slack/StandardSlackServiceTest.java src/test/java/jenkins/plugins/slack/workflow/SlackSendStepIntegrationTest.java src/test/java/jenkins/plugins/slack/workflow/SlackSendStepTest.java http://jenkins-ci.org/commit/slack-plugin/40a0ac49e279fb2956f349143725023baaf10cca Log: Merge pull request #247 from kmadel/pr-208 Add Credentials Support with credentials select widget JENKINS-35503 Compare: https://github.com/jenkinsci/slack-plugin/compare/e568a98e4fbe...40a0ac49e279
            Hide
            kmadel Kurt Madel added a comment -

            slack 2.1

            Show
            kmadel Kurt Madel added a comment - slack 2.1

              People

              Assignee:
              kmadel Kurt Madel
              Reporter:
              dom Dominic Hargreaves
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: