[JENKINS-35503] Slack plugin reveals integration token - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Component/s: slack-plugin
Labels:
- security

Similar Issues:

Show

Description

The Slack plugin reveals the integration token in the global configuration. In environments when many people have access to view the global configuration, this presents a security vulnerability since the token appears to give access to quite a bit of the Slack instance (though it's not entirely clear where that's configured).

Attachments

Issue Links

links to

CloudBees Internal OSS-1367

Activity

Ascending order - Click to sort in descending order

Dominic Hargreaves created issue - 2016-06-09 15:22

Dominic Hargreaves made changes - 2016-06-16 16:08

Field	Original Value	New Value
Description	The Slack plugin reveals the integration token in the global configuration. In environments when many people have access to view the global configuration, this presents a security vulnerability since the token gives access to the	The Slack plugin reveals the integration token in the global configuration. In environments when many people have access to view the global configuration, this presents a security vulnerability since the token appears to give access to quite a bit of the Slack instance (though it's not entirely clear where that's configured).

R. Tyler Croy made changes - 2016-07-25 23:52

Workflow

JNJira [ 171807 ]

JNJira + In-Review [ 184485 ]

Jesse Glick made changes - 2016-08-24 16:08

Labels

security

Jesse Glick added a comment - 2016-08-24 16:13

SlackNotifier.DescriptorImpl.token, SlackNotifier.authToken, and SlackSendStep.token store what appears to be an authentication token in plaintext. This is a serious bug.

The short fix is to change SlackNotifier.DescriptorImpl.token to use Secret and f:password, delete SlackSendStep.token (without ~~JENKINS-27386~~ there is no safe way to use it), and preferably delete SlackNotifier.authToken as well.

The better fix is to update the plugin to use the credentials API and thus store only String credentialsId (cf. JENKINS-27398 for the case of SlackSendStep).

Jesse Glick added a comment - 2016-08-24 16:13 SlackNotifier.DescriptorImpl.token , SlackNotifier.authToken , and SlackSendStep.token store what appears to be an authentication token in plaintext. This is a serious bug. The short fix is to change SlackNotifier.DescriptorImpl.token to use Secret and f:password , delete SlackSendStep.token (without JENKINS-27386 there is no safe way to use it), and preferably delete SlackNotifier.authToken as well. The better fix is to update the plugin to use the credentials API and thus store only String credentialsId (cf. JENKINS-27398 for the case of SlackSendStep ).

Jesse Glick made changes - 2016-08-24 16:13

Priority

Minor [ 4 ]

Critical [ 2 ]

Kurt Madel added a comment - 2016-08-24 16:17

There is a PR to integrate with credentials but still a bit of work to do.

Kurt Madel added a comment - 2016-08-24 16:17 There is a PR to integrate with credentials but still a bit of work to do.

Kurt Madel added a comment - 2016-08-24 16:20

One more note, in regards to the Pipeline step - you may use the

withCredentials

wrapper - see https://jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables

Kurt Madel added a comment - 2016-08-24 16:20 One more note, in regards to the Pipeline step - you may use the withCredentials wrapper - see https://jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables

Jesse Glick added a comment - 2016-08-25 15:47

Do not use withCredentials for this purpose as the argument will temporarily be in plaintext, which could lead to vulnerabilities depending on circumstances.

Jesse Glick added a comment - 2016-08-25 15:47 Do not use withCredentials for this purpose as the argument will temporarily be in plaintext, which could lead to vulnerabilities depending on circumstances.

Kurt Madel added a comment - 2016-09-10 12:15

See https://github.com/jenkinsci/slack-plugin/pull/247 for initial fix. Still allows users to expose auth token but provides highly visible warning.

Kurt Madel added a comment - 2016-09-10 12:15 See https://github.com/jenkinsci/slack-plugin/pull/247 for initial fix. Still allows users to expose auth token but provides highly visible warning.

SCM/JIRA link daemon added a comment - 2016-10-26 11:58

Code changed in jenkins
User: Kurt Madel
Path:
README.md
pom.xml
src/main/java/jenkins/plugins/slack/SlackNotifier.java
src/main/java/jenkins/plugins/slack/StandardSlackService.java
src/main/java/jenkins/plugins/slack/workflow/SlackSendStep.java
src/main/resources/jenkins/plugins/slack/SlackNotifier/config.jelly
src/main/resources/jenkins/plugins/slack/SlackNotifier/global.jelly
src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/config.jelly
src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/help-tokenCredentialId.html
src/main/webapp/help-globalConfig-tokenCredentialId.html
src/main/webapp/help-projectConfig-slackTokenCredentialId.html
src/test/java/jenkins/plugins/slack/SlackNotifierStub.java
src/test/java/jenkins/plugins/slack/SlackNotifierTest.java
src/test/java/jenkins/plugins/slack/StandardSlackServiceStub.java
src/test/java/jenkins/plugins/slack/StandardSlackServiceTest.java
src/test/java/jenkins/plugins/slack/workflow/SlackSendStepIntegrationTest.java
src/test/java/jenkins/plugins/slack/workflow/SlackSendStepTest.java
http://jenkins-ci.org/commit/slack-plugin/40a0ac49e279fb2956f349143725023baaf10cca
Log:
Merge pull request #247 from kmadel/pr-208

Add Credentials Support with credentials select widget ~~JENKINS-35503~~

Compare: https://github.com/jenkinsci/slack-plugin/compare/e568a98e4fbe...40a0ac49e279

SCM/JIRA link daemon added a comment - 2016-10-26 11:58 Code changed in jenkins User: Kurt Madel Path: README.md pom.xml src/main/java/jenkins/plugins/slack/SlackNotifier.java src/main/java/jenkins/plugins/slack/StandardSlackService.java src/main/java/jenkins/plugins/slack/workflow/SlackSendStep.java src/main/resources/jenkins/plugins/slack/SlackNotifier/config.jelly src/main/resources/jenkins/plugins/slack/SlackNotifier/global.jelly src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/config.jelly src/main/resources/jenkins/plugins/slack/workflow/SlackSendStep/help-tokenCredentialId.html src/main/webapp/help-globalConfig-tokenCredentialId.html src/main/webapp/help-projectConfig-slackTokenCredentialId.html src/test/java/jenkins/plugins/slack/SlackNotifierStub.java src/test/java/jenkins/plugins/slack/SlackNotifierTest.java src/test/java/jenkins/plugins/slack/StandardSlackServiceStub.java src/test/java/jenkins/plugins/slack/StandardSlackServiceTest.java src/test/java/jenkins/plugins/slack/workflow/SlackSendStepIntegrationTest.java src/test/java/jenkins/plugins/slack/workflow/SlackSendStepTest.java http://jenkins-ci.org/commit/slack-plugin/40a0ac49e279fb2956f349143725023baaf10cca Log: Merge pull request #247 from kmadel/pr-208 Add Credentials Support with credentials select widget JENKINS-35503 Compare: https://github.com/jenkinsci/slack-plugin/compare/e568a98e4fbe...40a0ac49e279

Kurt Madel added a comment - 2016-11-19 14:48

slack 2.1

Kurt Madel added a comment - 2016-11-19 14:48 slack 2.1

Kurt Madel made changes - 2016-11-19 14:48

Resolution		Fixed [ 1 ]
Status	Open [ 1 ]	Resolved [ 5 ]

Kurt Madel made changes - 2016-11-19 14:48

Status

Resolved [ 5 ]

Closed [ 6 ]

CloudBees Inc. made changes - 2017-12-05 05:46

Remote Link

This issue links to "CloudBees Internal OSS-1367 (Web Link)" [ 18727 ]

People

Assignee:: Kurt Madel

Reporter:: Dominic Hargreaves

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2016-06-09 15:22

Updated:: 2017-12-05 05:46

Resolved:: 2016-11-19 14:48