Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23475

Can bypass permission check of CopyArtifact with WebAPI/CLI

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When specifying a project name to copy artifacts from without a variable, permission check is performed at configuration time.
      That check is performed in the constructor of CopyArtifact, and can be bypassed using WebAPI, which does not trigger the constructor (triggers readResolve instead).

      update: can be bypassed also with CLI.

        Attachments

          Issue Links

            Activity

            Hide
            ikedam ikedam added a comment -

            I noticed this problem reviewing codes, and have not tested reproducing yet.
            I have to write a test code to reproduce this first.

            Show
            ikedam ikedam added a comment - I noticed this problem reviewing codes, and have not tested reproducing yet. I have to write a test code to reproduce this first.
            Show
            ikedam ikedam added a comment - https://github.com/jenkinsci/copyartifact-plugin/pull/41
            Hide
            ikedam ikedam added a comment -

            Fixed in SECURITY-988

            Show
            ikedam ikedam added a comment - Fixed in SECURITY-988

              People

              Assignee:
              ikedam ikedam
              Reporter:
              ikedam ikedam
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: