Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36476

Default value for Password Parameter is not extracted for users without Configure Permission

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      If a default value is specified for a Password Parameter in a job, Jenkins is only able to use the default value when the user executing the job is has Configure rights to the job. If the user has only build access, Jenkins will not fail to use the default value and instead send "****"'.

      Steps to reproduce:

      1. Create a job in 1.651.2 with a Password Parameter that has a default value.
      2. Execute the job as a user who does not have Configure access to the job (maybe Read or Extended Read).
      3. try to echo the parameter's value or save it to file
      4. Jenkins will send **** instead of the actual value

      This occurs without using Mask Password Plugin, meaning Jenkins is not masking the password but actually sending **** as the value.

      I believe that Jenkins is not able to properly extract the default password from Secret because of SECURITY-266
      "Users with extended read access could access encrypted secrets stored directly in the configuration of those items."

      Note that people upgrading from 1.642 with already configured password parameter jobs will have issues upgrading to 1.651

        Attachments

          Issue Links

            Activity

            issc29 Isaac Cohen created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Labels regression
            danielbeck Daniel Beck made changes -
            Link This issue is related to SECURITY-266 [ SECURITY-266 ]
            jglick Jesse Glick made changes -
            Component/s security [ 15508 ]
            jglick Jesse Glick made changes -
            Labels regression parameter password regression security
            jglick Jesse Glick made changes -
            Assignee Jesse Glick [ jglick ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            jglick Jesse Glick added a comment -

            I think the problem is that PasswordParameterDefinition/index.jelly uses f:password, which blocks passwords for users lacking Item.CONFIGURE as part of the fix of SECURITY-266. But that defense was intended for form fragments shown in a job configuration screen. When you define a PasswordParameterDefinition.defaultValue, you actually expect that the secret will be exposed to anyone with Item.BUILD. Or perhaps you do not necessarily wish to show them the secret, but wish them to be allowed to use it in the context of a build.

            Show
            jglick Jesse Glick added a comment - I think the problem is that PasswordParameterDefinition/index.jelly uses f:password , which blocks passwords for users lacking Item.CONFIGURE as part of the fix of SECURITY-266. But that defense was intended for form fragments shown in a job configuration screen. When you define a PasswordParameterDefinition.defaultValue , you actually expect that the secret will be exposed to anyone with Item.BUILD . Or perhaps you do not necessarily wish to show them the secret, but wish them to be allowed to use it in the context of a build.
            jglick Jesse Glick made changes -
            Link This issue relates to SECURITY-93 [ SECURITY-93 ]
            jglick Jesse Glick made changes -
            Link This issue relates to SECURITY-138 [ SECURITY-138 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "PR 2454 (Web Link)" [ 14626 ]
            jglick Jesse Glick made changes -
            Labels parameter password regression security lts-candidate parameter password regression security
            Hide
            danielbeck Daniel Beck added a comment -

            Scheduled for release in the next weekly.

            Show
            danielbeck Daniel Beck added a comment - Scheduled for release in the next weekly.
            danielbeck Daniel Beck made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 173186 ] JNJira + In-Review [ 199406 ]
            olivergondza Oliver Gond┼ża made changes -
            Labels lts-candidate parameter password regression security 2.7.3-fixed parameter password regression security
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal OSS-1150 (Web Link)" [ 18763 ]

              People

              Assignee:
              jglick Jesse Glick
              Reporter:
              issc29 Isaac Cohen
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: