Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55659

Tool downloads are vulnerable to tampering

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources. Contents of urls should also be hashed to prevent malicious modifications at download source.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources.

          You're describing how it works today. In fact, INFRA-1944 demonstrates that Jenkins cares a lot about the signatures.

          Contents of urls should also be hashed to prevent malicious modifications at download source.

          Reasonable RFE. Likely not possible to do in core, but rather up to individual implementations.

          Show
          danielbeck Daniel Beck added a comment - List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources. You're describing how it works today. In fact, INFRA-1944 demonstrates that Jenkins cares a lot about the signatures. Contents of urls should also be hashed to prevent malicious modifications at download source. Reasonable RFE. Likely not possible to do in core, but rather up to individual implementations.
          Hide
          danielbeck Daniel Beck added a comment -

          Notably, a while back we moved all possible URLs to HTTPS to further limit problems. Since we're not actually providing the binaries ourselves, providing content hashes seems to invite problems in case they're ever (legitimately) changed.

          Show
          danielbeck Daniel Beck added a comment - Notably, a while back we moved all possible URLs to HTTPS to further limit problems. Since we're not actually providing the binaries ourselves, providing content hashes seems to invite problems in case they're ever (legitimately) changed.
          Hide
          skorhone Sami Korhonen added a comment - - edited

          Is there an api in jenkins that plugins are using to download tools? If so, would it be possible to add feature similar to scripts? (script security) Having administrators approve tool installs and checksums might not be such a bad idea

          Show
          skorhone Sami Korhonen added a comment - - edited Is there an api in jenkins that plugins are using to download tools? If so, would it be possible to add feature similar to scripts? (script security) Having administrators approve tool installs and checksums might not be such a bad idea
          Hide
          danielbeck Daniel Beck added a comment -

          If you don't trust the publicly provided installer URLs, don't configure them. You can always use the "Download an extract a zip file" installer at a location you control.

          Show
          danielbeck Daniel Beck added a comment - If you don't trust the publicly provided installer URLs, don't configure them. You can always use the "Download an extract a zip file" installer at a location you control.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            skorhone Sami Korhonen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: