Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-75103

CWE-532 In Slack Notification Plugin

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • _unsorted
    • Jenkins: 2.479.2
      Plugin Version: 751.v2e44153c8fe1
      ##### NOTE ####
      I had to put the slack-uploader-plugin as the component. However, this belongs to the slack-notification plugin. It just wasn't listed as an option.

      Version: slack-plugin-751.v2e44153c8fe1

      File: src/main/java/jenkins/plugins/slack/pipeline/SlackUploadFileRunner.java

      Line: 65

      Setup Steps:

      1. Follow this to set up a Slack app 
      2. Navigate to Manage Jenkins > System Log
      3. Create a new logger 
      4. Name = Slack
      5. Logger = jenkins.plugins
      6. Log Level = ALL
      1. Create a pipeline job to trigger the logging statement
      2. Here is an example script (File path, channel, and the token id must be changed).

       

      pipeline {

          agent any

          environment

      {         SLACK_CHANNEL = 'all-testing'     }

          stages {

              stage('Upload File to Slack') {

                  steps {

                      withCredentials([string(credentialsId: 'slack-token', variable: 'SLACK_TOKEN')]) {

                          script

      {                         slackUploadFile(                             filePath: 'C:\\Users\\kyler\\Downloads\\sensitive-info\\business-data.txt.txt',                             initialComment: 'Uploading sensitive business data to Slack',                             channel: env.SLACK_CHANNEL                         )                     }

                      }

                  }

              }

          }

      }

      Navigate back to the log and look for the output. Mine is attached. This will log the full file path. 

      A fix for this could be to say that the upload was successful or to log the base file name. 

       

        1. Screenshot 2025-01-08 105403.png
          Screenshot 2025-01-08 105403.png
          76 kB

          [JENKINS-75103] CWE-532 In Slack Notification Plugin

          Markus Winter added a comment -

          The slack plugin uses github for it's bug tracking. So you should open the problem there. https://github.com/jenkinsci/slack-plugin/issues

          Markus Winter added a comment - The slack plugin uses github for it's bug tracking. So you should open the problem there. https://github.com/jenkinsci/slack-plugin/issues

          Kyler added a comment -

          Thank you, will do.

          Kyler added a comment - Thank you, will do.

          Daniel Beck added a comment -

          I'd usually move this to the SECURITY project, where security issues should be reported, but the Jenkins security team would not consider this to be a vulnerability per https://www.jenkins.io/security/reporting/#non-issues

          File paths present in Jenkinsfiles are hardly sensitive information, and especially on the more verbose logging levels, it's rather likely that even credentials might end up being logged as might be necessary to diagnose e.g. connection issues.

          Daniel Beck added a comment - I'd usually move this to the SECURITY project, where security issues should be reported, but the Jenkins security team would not consider this to be a vulnerability per https://www.jenkins.io/security/reporting/#non-issues File paths present in Jenkinsfiles are hardly sensitive information, and especially on the more verbose logging levels, it's rather likely that even credentials might end up being logged as might be necessary to diagnose e.g. connection issues.

          Kyler added a comment -

          Looking into this, it will appear in a public forum. 

          I see this
          "Never report security issues on GitHub or other public channels (Gitter/Twitter/etc.)
          Follow these instruction to report security issues: https://www.jenkins.io/security/#reporting-vulnerabilities"

          This brings me back to this Jira or this email jenkinsci-cert@googlegroups.com, which seems to link to Jira as well. 

          Kyler added a comment - Looking into this, it will appear in a public forum.  I see this "Never report security issues on GitHub or other public channels (Gitter/Twitter/etc.) Follow these instruction to report security issues:  https://www.jenkins.io/security/#reporting-vulnerabilities" This brings me back to this Jira or this email  jenkinsci-cert@googlegroups.com, which seems to link to Jira as well. 

          Daniel Beck added a comment -

          this Jira

          When reporting an issue here, you have the choice of different projects. You reported this in the public "JENKINS" project. As a possible vulnerability, "SECURITY" would have been the correct choice.

          Daniel Beck added a comment - this Jira When reporting an issue here, you have the choice of different projects. You reported this in the public "JENKINS" project. As a possible vulnerability, "SECURITY" would have been the correct choice.

          Kyler added a comment -

          I understand, thank you for clearifying. 

          Kyler added a comment - I understand, thank you for clearifying. 

          Daniel Beck added a comment -

          You're welcome

          FTR I used this as an impulse to propose we replace the links on jenkins.io with a more immediately useful URL that more directly guides reporters: https://github.com/jenkins-infra/jenkins.io/pull/7806

          Daniel Beck added a comment - You're welcome FTR I used this as an impulse to propose we replace the links on jenkins.io with a more immediately useful URL that more directly guides reporters: https://github.com/jenkins-infra/jenkins.io/pull/7806

          Mark Waite added a comment -

          The "Links" section on the right hand side of https://plugins.jenkins.io/slack/ also includes links to report an issue. When the GitHub issue path is chosen, the security page suggests to report through Jira. When the Jira issue path is chosen, it shows a security button that will assign the correct Jira project.

          Mark Waite added a comment - The "Links" section on the right hand side of https://plugins.jenkins.io/slack/ also includes links to report an issue. When the GitHub issue path is chosen, the security page suggests to report through Jira. When the Jira issue path is chosen, it shows a security button that will assign the correct Jira project.

          Daniel Beck added a comment -

          it shows a security button that will assign the correct Jira project

          Being improved further in https://github.com/jenkins-infra/jenkins.io/pull/7809 and https://github.com/jenkins-infra/repository-permissions-updater/pull/4256 addressing another issue that some reporters struggle with (plugin IDs being an inconsistent mess doesn't exactly make it easy for them!)

          Also noting https://github.com/jenkinsci/.github/pull/144

          Daniel Beck added a comment - it shows a security button that will assign the correct Jira project Being improved further in https://github.com/jenkins-infra/jenkins.io/pull/7809 and https://github.com/jenkins-infra/repository-permissions-updater/pull/4256 addressing another issue that some reporters struggle with (plugin IDs being an inconsistent mess doesn't exactly make it easy for them!) Also noting https://github.com/jenkinsci/.github/pull/144

          Daniel Beck added a comment -

          As this was reported against the wrong component and a comment pointed the reporter to the correct issue tracker, there's no reason to keep this open any longer.

          Daniel Beck added a comment - As this was reported against the wrong component and a comment pointed the reporter to the correct issue tracker, there's no reason to keep this open any longer.

            Unassigned Unassigned
            kylerkatz Kyler
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: