Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-72543

JENKINS_URL/_script only requires Overall/Read

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core
    • Jenkins 2.440 and Jenkins LTS 2.426.1

      When anonymous read access is allowed, the following URL is accessible:
      "<JENKINS_URL>/_script" (please note the underscore!)

      Fortunately, trying to execute a script with the "Run" button leads to a redirect to the login page.

      In contrast, "<JENKINS_URL>/script" (without the underscore) is properly redirected to the login page by default.

      This issue can be reproduced, by installing the latest weekly release or LTS release, enabling anonymous read access in the security settings and accessing the mentioned URLs.

      1. Is there a legitimate reason to make the script console available under "<JENKINS_URL>/_script" (independent of the authentication issue)? Does something depend on that URL?
      2. If both questions under 1. can be answered with "No", I'd recommend removing access to the URL completely. If the answers to 1. are "Yes", I'd recommend fixing the missing authentication (it should have the same behavior as "<JENKINS_URL>/script").

          [JENKINS-72543] JENKINS_URL/_script only requires Overall/Read

          Fred G created issue -

          Daniel Beck added a comment -

          _script is simply the view's Jelly file. Since there's no sensitive content, there's no real reason to protect it.

          There's lots of these URLs in Jenkins, fixing one doesn't accomplish much.

          Daniel Beck added a comment - _script is simply the view's Jelly file. Since there's no sensitive content, there's no real reason to protect it. There's lots of these URLs in Jenkins, fixing one doesn't accomplish much.
          Daniel Beck made changes -
          Summary Original: JENKINS_URL/_script does not require authentication New: JENKINS_URL/_script only requires Overall/Read
          Daniel Beck made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Daniel Beck made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Daniel Beck made changes -
          Remote Link New: This issue links to "PR#8858 (Web Link)" [ 29431 ]
          Daniel Beck made changes -
          Assignee New: Daniel Beck [ danielbeck ]

          Fred G added a comment -

          Can you comment on what you think would be the right approach to fix this for good?

          Depending on the required effort, I'm potentially willing to spend time on this, since I think it might be worthwhile to fix this URL and other URLs anyway.

          Fred G added a comment - Can you comment on what you think would be the right approach to fix this for good? Depending on the required effort, I'm potentially willing to spend time on this, since I think it might be worthwhile to fix this URL and other URLs anyway.

          Daniel Beck added a comment -

          This one is a special case since the fix amounts to a typo correction. Despite what I wrote my previous message, there was an intention for it to be protected, but was done incorrectly.

          In general it's just one of the dumb internals of Jenkins that can be exposed, fixing entirely is playing whack-a-mole.

          Daniel Beck added a comment - This one is a special case since the fix amounts to a typo correction. Despite what I wrote my previous message, there was an intention for it to be protected, but was done incorrectly. In general it's just one of the dumb internals of Jenkins that can be exposed, fixing entirely is playing whack-a-mole.

            danielbeck Daniel Beck
            fredg Fred G
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: