Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55557

Support oAuth2.0 state parameter

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The current implementation does not support the `state` parameter in the oAuth2 authorization request it sends to the Github AS when attempting to authorize the plugin for a user.  As such, it is vulnerable to CSRF attacks against redirect URI as described in [1]

       The state parameter is supported by the Github API [2] , so support could be added in the github-oauth-plugin also.

       

      [1] https://tools.ietf.org/html/rfc6819#section-4.4.1.8
      [2] https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow

        Attachments

          Activity

          Hide
          ikakavas Ioannis Kakavas added a comment -
          Show
          ikakavas Ioannis Kakavas added a comment - I opened https://github.com/jenkinsci/github-oauth-plugin/pull/107 to resolve this issue.
          Hide
          sag47 Sam Gleske added a comment -

          Resolving as fixed in 0.33 (originally attempted rolling out 0.32 but it had critical authorization bugs).

          In the future, please do not disclose security vulnerabilities like this in the public issue tracker. Responsibly disclose by following https://jenkins.io/security/

          Show
          sag47 Sam Gleske added a comment - Resolving as fixed in 0.33 (originally attempted rolling out 0.32 but it had critical authorization bugs). In the future, please do not disclose security vulnerabilities like this in the public issue tracker. Responsibly disclose by following https://jenkins.io/security/
          Hide
          sag47 Sam Gleske added a comment - - edited

          Thanks for the fix.

          Show
          sag47 Sam Gleske added a comment - - edited Thanks for the fix.

            People

            Assignee:
            sag47 Sam Gleske
            Reporter:
            ikakavas Ioannis Kakavas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: