Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50765

Harden support-core against XXE attacks

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • support-core-plugin
    • None

      There are currently three support bundle components that use SecretHandler#findSecrets, which uses a standard XML transformer that does not protect against XXE attacks: ConfigFileComponent, AgentsConfigFile, and OtherConfigFilesComponent.

      ConfigFileComponent and AgentsConfigFile process files controlled by Jenkins core, and there is no way for a non-admin to modify the contents of the files they process except through XStream, which prevents XXE attacks.

      OtherConfigFilesComponent includes all files in $JENKINS_HOME that end with .xml except for credentials.xml and config.xml. If a plugin allows non-admin users to directly change the contents of a file (not using XStream) that ends with .xml in $JENKINS_HOME then that would allow an attacker to store an XXE attack for later execution when an admin generates a bundle that includes the OtherConfigFilesComponent.

      Any plugin that gives non-admin users unrestricted access to a file in Jenkins home is likely a problem by itself, and only admins can install plugins, so I don't consider this to be a problem in practice. Even so, it is easy enough to harden the plugin against this type of issue just in case.

          [JENKINS-50765] Harden support-core against XXE attacks

          Devin Nusbaum created issue -
          Devin Nusbaum made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Devin Nusbaum made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Devin Nusbaum made changes -
          Link New: This issue is duplicated by SECURITY-448 [ SECURITY-448 ]
          Devin Nusbaum made changes -
          Remote Link New: This issue links to "jenkinsci/support-core-plugin#141 (Web Link)" [ 20413 ]

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Devin Nusbaum
          Path:
          src/main/java/com/cloudbees/jenkins/support/configfiles/SecretHandler.java
          src/test/java/com/cloudbees/jenkins/support/configfiles/SecretHandlerTest.java
          http://jenkins-ci.org/commit/support-core-plugin/59261ba0355b403f42e6a8f205f87a6d5758d3d9
          Log:
          Merge pull request #141 from dwnusbaum/harden-against-xxe

          JENKINS-50765 Defend SecretHandler from XXE attacks

          Compare: https://github.com/jenkinsci/support-core-plugin/compare/132c99f32b29...59261ba0355b

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Devin Nusbaum Path: src/main/java/com/cloudbees/jenkins/support/configfiles/SecretHandler.java src/test/java/com/cloudbees/jenkins/support/configfiles/SecretHandlerTest.java http://jenkins-ci.org/commit/support-core-plugin/59261ba0355b403f42e6a8f205f87a6d5758d3d9 Log: Merge pull request #141 from dwnusbaum/harden-against-xxe JENKINS-50765 Defend SecretHandler from XXE attacks Compare: https://github.com/jenkinsci/support-core-plugin/compare/132c99f32b29...59261ba0355b

          Devin Nusbaum added a comment -

          Released in 2.47. See the changelog.

          Devin Nusbaum added a comment - Released in 2.47. See the changelog .
          Devin Nusbaum made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Review [ 10005 ] New: Resolved [ 5 ]
          James Dumay made changes -
          Remote Link New: This issue links to "CloudBees Internal OSS-2691 (Web Link)" [ 20534 ]
          Arnaud Héritier made changes -
          Status Original: Resolved [ 5 ] New: Closed [ 6 ]

            dnusbaum Devin Nusbaum
            dnusbaum Devin Nusbaum
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: