• Type: Bug
• Resolution: Fixed
• Priority: Minor
• Component/s: core
• Labels:

  • regression
• Environment:

  Jenkins 2.319+, 2.303.3+

[JENKINS-67189] Local FilePaths in S2MCallable are subject to FilePathFilter access control

Daniel Beck created issue - 2021-11-19 21:56

Daniel Beck made changes - 2021-11-19 22:01

Description

Original: The security fixes in 2.319, LTS 2.303.3 introduced a(nother) regression: If a {{SlaveToMaster(File)Callable}} operates on controller-local {{FilePath}}s, they are newly subject to access control. Part of the SECURITY-2455 security fixes involved removing the per {{FilePath}} tracking of the requirement to be subject to access control, instead relying on {{Channel#current}}. That however means that all {{FilePath}} objects on the JVM executing a {{Callable}} are subject to the applicable {{FilePathFilter}} (i.e., if it's on the controller, {{FilePathFilter}} applies). To clarify, this isn't about a {{MasterToSlave(File)Callable}} operating on a controller {{FilePath}} – those are deliberately subject to access control (and always have been). It needs code like the following to fail: {noformat}     private static class LocalFileOpCallable extends SlaveToMasterCallable<String, Exception> {         @Override         public String call() throws Exception {             assertTrue(JenkinsJVM.isJenkinsJVM());             final File tempFile = Files.createTempFile("jenkins-test", null).toFile();             return new FilePath(tempFile).readToString(); // throws SecurityException         }     } {noformat} If this callable is sent from an agent to the controller for execution, it will fail with a {{SecurityException}} if agent-to-controller access control is enabled. I do not expect any (crazy) code like this to exist, but noting just in case.

New: The security fixes in 2.319, LTS 2.303.3 introduced a(nother) regression: If a {{SlaveToMaster(File)Callable}} operates on controller-local {{FilePath}}'s, they are newly subject to access control. Part of the SECURITY-2455 security fixes involved removing the per {{FilePath}} tracking of the requirement to be subject to access control, instead relying on {{Channel#current}}. That however means that all {{FilePath}} objects on the JVM executing a {{Callable}} are subject to the applicable {{FilePathFilter}} (i.e., if it's on the controller, {{FilePathFilter}} applies). To clarify, this isn't about a {{MasterToSlave(File)Callable}} operating on a controller {{FilePath}} – those are deliberately subject to access control (and always have been). It needs code like the following to fail: {noformat}     private static class LocalFileOpCallable extends SlaveToMasterCallable<String, Exception> {         @Override         public String call() throws Exception {             assertTrue(JenkinsJVM.isJenkinsJVM());             final File tempFile = Files.createTempFile("jenkins-test", null).toFile();             return new FilePath(tempFile).readToString(); // throws SecurityException         }     } {noformat} If this callable is sent from an agent to the controller for execution, it will fail with a {{SecurityException}} if agent-to-controller access control is enabled. I do not expect any (crazy) code like this to exist, but noting just in case.

Daniel Beck made changes - 2021-11-22 11:03

Assignee

New: Daniel Beck [ danielbeck ]

Daniel Beck made changes - 2021-11-22 11:03

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Daniel Beck made changes - 2021-11-22 11:03

Status

Original: In Progress [ 3 ]

New: In Review [ 10005 ]

Basil Crow made changes - 2021-12-22 16:12

Released As		New: 2.326
Resolution		New: Fixed [ 1 ]
Status	Original: In Review [ 10005 ]	New: Resolved [ 5 ]