Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12281

Copy-to-Slave plugin allows anyone with create/edit job permission to get read access to global config

    Details

      Description

      When copy-to-slave plugin is installed in the system, anyone with create/edit job permission can enable it for a job, set HUDSON_HOME as a base dir, then fetch config.xml and cat it to build log for example. Global config.xml may contain highly sensitive data like EC2 and other credentials.

      More details, copied from https://wiki.jenkins-ci.org/display/JENKINS/Copy+To+Slave+Plugin?focusedCommentId=59509028#comment-59509028 :

      Jenkins allows to have access separation, where only users with admin permissions haev access to global config. However, with this plugin installed, any user who has job create/edit permission can fetch Jenkins' config.xml, and that may contain sensitive data, like EC2 credentials for example.

      That's why carefully written plugins split there config in 2 parts: global config where arbitrary paths, credentials, etc. are set, job config, where usually user can just select a choice from predefined set using a dropdown.

      Suggestions for alleviating immediate security threat: remove "HUDSON_HOME" option, replace it with "HUDSON_HOME/copyToSlave" option. The latter option is still required to preserve generality of plugin, as "HUDSON_HOME/userContent" is not suitable for all content, as it is publicly accessible via http://<jenkins>/userContent. "Job's workspace on master" on its own is not enough either, as for the case of hundreds of jobs all requiring same prerequisites, it's very cumbersome to configure each job's workspace.

      And well, this assumes that you didn't try to patch Ant's file pattern code which by all means should prohibit ".." syntax to access files outside of the specified prefix, because otherwise this plugin can be used to access any file on master's filesystem which is very big security risk.

      More elaborated approach would be of course to split plugin config to global/per-job parts, where in global and admin can define set of base paths (which can be arbitrary then), and in job config, a user can select just from these predefined ones.

        Activity

        Hide
        pfalcon Paul Sokolovsky added a comment -

        Simple patch to remove HUDSON_HOME as a choice (and replace it with HUDSON_HOME/copyToSlave) is a available at: https://github.com/pfalcon/copy-to-slave-plugin/commits/linaro

        Show
        pfalcon Paul Sokolovsky added a comment - Simple patch to remove HUDSON_HOME as a choice (and replace it with HUDSON_HOME/copyToSlave) is a available at: https://github.com/pfalcon/copy-to-slave-plugin/commits/linaro
        Hide
        rseguy Romain Seguy added a comment -

        I've attached a version of the plugin which contains the fix. Can you give it a try and confirm it works please?

        Show
        rseguy Romain Seguy added a comment - I've attached a version of the plugin which contains the fix. Can you give it a try and confirm it works please?
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: rseguy
        Path:
        src/main/java/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper.java
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/config.jelly
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/config.properties
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/config_fr.properties
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/global.jelly
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/global.properties
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-relativeTo.html
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-relativeToHomeEnabled.html
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-somewhereElseEnabled.html
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help.html
        http://jenkins-ci.org/commit/copy-to-slave-plugin/74f4fc505ba0007e2690a3ebec14c9c288eae865
        Log:
        [FIXED JENKINS-12281] It is now possible to remove HUDSON_HOME from the list of base locations for copy to slave operations

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: rseguy Path: src/main/java/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper.java src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/config.jelly src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/config.properties src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/config_fr.properties src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/global.jelly src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/global.properties src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-relativeTo.html src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-relativeToHomeEnabled.html src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-somewhereElseEnabled.html src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help.html http://jenkins-ci.org/commit/copy-to-slave-plugin/74f4fc505ba0007e2690a3ebec14c9c288eae865 Log: [FIXED JENKINS-12281] It is now possible to remove HUDSON_HOME from the list of base locations for copy to slave operations
        Hide
        pfalcon Paul Sokolovsky added a comment -

        Tested attached copy-to-slave.hpi - works great, thanks! Maybe just not in in-place help for
        "Define an additional "Paths are relative to" option" that path entered is relative to filesystem root directory, and that standard Jenkins environment variables are allowed.

        Show
        pfalcon Paul Sokolovsky added a comment - Tested attached copy-to-slave.hpi - works great, thanks! Maybe just not in in-place help for "Define an additional "Paths are relative to" option" that path entered is relative to filesystem root directory, and that standard Jenkins environment variables are allowed.
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: rseguy
        Path:
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-somewhereElseEnabled.html
        http://jenkins-ci.org/commit/copy-to-slave-plugin/1d16dd83b2f573f9f26250d76ec5a814c3ca35bc
        Log:
        [FIXED JENKINS-12281] Improved help messages

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: rseguy Path: src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-somewhereElseEnabled.html http://jenkins-ci.org/commit/copy-to-slave-plugin/1d16dd83b2f573f9f26250d76ec5a814c3ca35bc Log: [FIXED JENKINS-12281] Improved help messages
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: rseguy
        Path:
        src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-somewhereElseEnabled.html
        http://jenkins-ci.org/commit/copy-to-slave-plugin/1d16dd83b2f573f9f26250d76ec5a814c3ca35bc
        Log:
        [FIXED JENKINS-12281] Improved help messages

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: rseguy Path: src/main/resources/com/michelin/cio/hudson/plugins/copytoslave/CopyToSlaveBuildWrapper/help-somewhereElseEnabled.html http://jenkins-ci.org/commit/copy-to-slave-plugin/1d16dd83b2f573f9f26250d76ec5a814c3ca35bc Log: [FIXED JENKINS-12281] Improved help messages

          People

          • Assignee:
            rseguy Romain Seguy
            Reporter:
            pfalcon Paul Sokolovsky
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: