Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55659

Tool downloads are vulnerable to tampering

    XMLWordPrintable

Details

    Description

      List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources. Contents of urls should also be hashed to prevent malicious modifications at download source.

      Attachments

        Activity

          danielbeck Daniel Beck added a comment -

          List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources.

          You're describing how it works today. In fact, INFRA-1944 demonstrates that Jenkins cares a lot about the signatures.

          Contents of urls should also be hashed to prevent malicious modifications at download source.

          Reasonable RFE. Likely not possible to do in core, but rather up to individual implementations.

          danielbeck Daniel Beck added a comment - List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources. You're describing how it works today. In fact, INFRA-1944 demonstrates that Jenkins cares a lot about the signatures. Contents of urls should also be hashed to prevent malicious modifications at download source. Reasonable RFE. Likely not possible to do in core, but rather up to individual implementations.
          danielbeck Daniel Beck added a comment -

          Notably, a while back we moved all possible URLs to HTTPS to further limit problems. Since we're not actually providing the binaries ourselves, providing content hashes seems to invite problems in case they're ever (legitimately) changed.

          danielbeck Daniel Beck added a comment - Notably, a while back we moved all possible URLs to HTTPS to further limit problems. Since we're not actually providing the binaries ourselves, providing content hashes seems to invite problems in case they're ever (legitimately) changed.
          skorhone Sami Korhonen added a comment - - edited

          Is there an api in jenkins that plugins are using to download tools? If so, would it be possible to add feature similar to scripts? (script security) Having administrators approve tool installs and checksums might not be such a bad idea

          skorhone Sami Korhonen added a comment - - edited Is there an api in jenkins that plugins are using to download tools? If so, would it be possible to add feature similar to scripts? (script security) Having administrators approve tool installs and checksums might not be such a bad idea
          danielbeck Daniel Beck added a comment -

          If you don't trust the publicly provided installer URLs, don't configure them. You can always use the "Download an extract a zip file" installer at a location you control.

          danielbeck Daniel Beck added a comment - If you don't trust the publicly provided installer URLs, don't configure them. You can always use the "Download an extract a zip file" installer at a location you control.

          People

            Unassigned Unassigned
            skorhone Sami Korhonen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: