Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42556

PlaceholderTask.runForDisplay vulnerable to AccessDeniedException

      Resuming build at ... after Jenkins restart
      [Pipeline] End of Pipeline
      java.io.IOException: Failed to load build state
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$3.onSuccess(CpsFlowExecution.java:610)
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$3.onSuccess(CpsFlowExecution.java:608)
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$4$1.run(CpsFlowExecution.java:651)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:35)
      	at ...
      Caused by: org.acegisecurity.AccessDeniedException: Please login to access job ...
      	at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
      	at jenkins.model.Jenkins.getItem(Jenkins.java:324)
      	at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
      	at hudson.model.Run.fromExternalizableId(Run.java:2314)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.runForDisplay(ExecutorStepExecution.java:385)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.getDisplayName(ExecutorStepExecution.java:398)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.getFullDisplayName(ExecutorStepExecution.java:407)
      	at org.jenkinsci.plugins.workflow.support.pickles.ExecutorPickle$1.printWaitingMessage(ExecutorPickle.java:116)
      	at org.jenkinsci.plugins.workflow.support.pickles.TryRepeatedly$1.run(TryRepeatedly.java:95)
      	at ...
      

      Presumably there is no anonymous read access, and the Timer thread used by TryRepeatedly neglected to impersonate SYSTEM.

          [JENKINS-42556] PlaceholderTask.runForDisplay vulnerable to AccessDeniedException

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/model/Queue.java
          http://jenkins-ci.org/commit/jenkins/13d85fb805161a94e45d4ac485fb3a84d2c72e1a
          Log:
          Merge pull request #2791 from jglick/Queue-logging-JENKINS-42556

          JENKINS-42556 Improved logging for Queue

          Compare: https://github.com/jenkinsci/jenkins/compare/ea724ab13dd3...13d85fb80516

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/13d85fb805161a94e45d4ac485fb3a84d2c72e1a Log: Merge pull request #2791 from jglick/Queue-logging- JENKINS-42556 JENKINS-42556 Improved logging for Queue Compare: https://github.com/jenkinsci/jenkins/compare/ea724ab13dd3...13d85fb80516

          Code changed in jenkins
          User: Jesse Glick
          Path:
          src/main/java/org/jenkinsci/plugins/workflow/support/pickles/TryRepeatedly.java
          http://jenkins-ci.org/commit/workflow-support-plugin/3c076a7c93717ee7d819eeda82dd91f1be099bde
          Log:
          JENKINS-42556 Handle runtime exceptions from printWaitingMessage.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/workflow/support/pickles/TryRepeatedly.java http://jenkins-ci.org/commit/workflow-support-plugin/3c076a7c93717ee7d819eeda82dd91f1be099bde Log: JENKINS-42556 Handle runtime exceptions from printWaitingMessage.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          src/main/java/org/jenkinsci/plugins/workflow/support/pickles/TryRepeatedly.java
          http://jenkins-ci.org/commit/workflow-support-plugin/494446bf5962ff41726818224312079876c2cc70
          Log:
          Merge pull request #32 from jglick/TryRepeatedly-anonDiscover-JENKINS-42556

          JENKINS-42556 Handle runtime exceptions from printWaitingMessage

          Compare: https://github.com/jenkinsci/workflow-support-plugin/compare/6fce277ac978...494446bf5962

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/workflow/support/pickles/TryRepeatedly.java http://jenkins-ci.org/commit/workflow-support-plugin/494446bf5962ff41726818224312079876c2cc70 Log: Merge pull request #32 from jglick/TryRepeatedly-anonDiscover- JENKINS-42556 JENKINS-42556 Handle runtime exceptions from printWaitingMessage Compare: https://github.com/jenkinsci/workflow-support-plugin/compare/6fce277ac978...494446bf5962

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/security/ImpersonatingExecutorService.java
          core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java
          core/src/main/java/jenkins/util/AtmostOneTaskExecutor.java
          core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java
          core/src/main/java/jenkins/util/Timer.java
          http://jenkins-ci.org/commit/jenkins/3f41d563b2d619d892e483055cc3d8f511d11dc1
          Log:
          JENKINS-42556 Run more system threads as SYSTEM.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ImpersonatingExecutorService.java core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java core/src/main/java/jenkins/util/AtmostOneTaskExecutor.java core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java core/src/main/java/jenkins/util/Timer.java http://jenkins-ci.org/commit/jenkins/3f41d563b2d619d892e483055cc3d8f511d11dc1 Log: JENKINS-42556 Run more system threads as SYSTEM.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/security/ImpersonatingExecutorService.java
          core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java
          core/src/main/java/jenkins/util/AtmostOneTaskExecutor.java
          core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java
          core/src/main/java/jenkins/util/Timer.java
          http://jenkins-ci.org/commit/jenkins/dd0d578cb07084366ab4d1a1efdeb1fe39d14688
          Log:
          Merge pull request #2792 from jglick/SYSTEM-JENKINS-42556

          JENKINS-42556 Run more system threads as SYSTEM

          Compare: https://github.com/jenkinsci/jenkins/compare/12a4177af17f...dd0d578cb070

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ImpersonatingExecutorService.java core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java core/src/main/java/jenkins/util/AtmostOneTaskExecutor.java core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java core/src/main/java/jenkins/util/Timer.java http://jenkins-ci.org/commit/jenkins/dd0d578cb07084366ab4d1a1efdeb1fe39d14688 Log: Merge pull request #2792 from jglick/SYSTEM- JENKINS-42556 JENKINS-42556 Run more system threads as SYSTEM Compare: https://github.com/jenkinsci/jenkins/compare/12a4177af17f...dd0d578cb070

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/security/ImpersonatingExecutorService.java
          core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java
          core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java
          http://jenkins-ci.org/commit/jenkins/98bb78ff1891bb85471a089977066c4b4a11b261
          Log:
          JENKINS-42556 Updating since tags for #2792.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ImpersonatingExecutorService.java core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java http://jenkins-ci.org/commit/jenkins/98bb78ff1891bb85471a089977066c4b4a11b261 Log: JENKINS-42556 Updating since tags for #2792.

          Daniel Beck added a comment -

          jglick Is this a useful LTS candidate?

          Daniel Beck added a comment - jglick Is this a useful LTS candidate?

          Jesse Glick added a comment -

          Well…it is relatively risky, and this particular bug symptom has an independent workaround, so I am not sure I would recommend it for backport.

          Jesse Glick added a comment - Well…it is relatively risky, and this particular bug symptom has an independent workaround, so I am not sure I would recommend it for backport.

          Daniel Beck added a comment -

          Not an LTS candidate then.

          Daniel Beck added a comment - Not an LTS candidate then.

          Jesse Glick added a comment -

          Found another effect of this. On 2.46.x (prior to this fix), a Pipeline virtual thread dump like /job/…/…/threadDump/ will show, e.g.,

          Thread #…
          	at DSL.node(node block appears to be neither running nor scheduled)
          	at WorkflowScript.run(WorkflowScript:…)
          

          when there is a node block waiting in queue but the system has no anonymous read access. This is because ExecutorStepExecution.getStatus checks Queue.getItems, which as of SECURITY-186 is a permission-controlled call, which would in fact work if called under the authentication of the user looking at the thread dump (who presumably has READ on that job); yet StepExecution.getStatusBounded runs inside Timer, thus as anonymous.

          Jesse Glick added a comment - Found another effect of this. On 2.46.x (prior to this fix), a Pipeline virtual thread dump like /job/…/…/threadDump/ will show, e.g., Thread #… at DSL.node(node block appears to be neither running nor scheduled) at WorkflowScript.run(WorkflowScript:…) when there is a node block waiting in queue but the system has no anonymous read access. This is because ExecutorStepExecution.getStatus checks Queue.getItems , which as of SECURITY-186 is a permission-controlled call, which would in fact work if called under the authentication of the user looking at the thread dump (who presumably has READ on that job); yet StepExecution.getStatusBounded runs inside Timer , thus as anonymous.

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: