Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14113

UnprotectedRootAction doesn't work for /github-webhook/

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      At the moment the github plugin has it's github-webhook marked as being an UnprotectedRootAction which should mean that requests can be made to http://jenkins/github-webhook/ and even if security is enabled in jenkins they should make it through.

      To see this bug in action:

      • Install jenkins
      • Install the github plugin.
      • Enable security, switch to matrix security, add a group called "authenticated" and grant them administer permission, remove all permissions from anonymous.
      • Attempt to access http://jenkins/github-webhook/ in a browser that isn't logged into jenkins and you get prompted to login.

      Jenkins has special support for some URL paths in jenkins.model.Jenkins.getTarget() (eg http://jenkins/whoAmI), and it also contains support for UnprotectedRootAction.

      The problem is that the TokenList class which parses the URL and then rebuilds it when Stapler.getCurrentRequest().getRestOfPath() is called drops all trailing slashes from the returned path. So even if the request path ended /github-webhook/ the value returned from getRestOfPath() is always /github-webhook

      This then fails to match the test which requires the trailing slash.

        Attachments

          Activity

          Show
          buckett Matthew Buckett added a comment - Fix in https://github.com/jenkinsci/jenkins/pull/498
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy
          test/src/test/java/jenkins/model/JenkinsTest.java
          http://jenkins-ci.org/commit/jenkins/4e7a43c5863b5e7ad637a5034f75d3c144c45129
          Log:
          [FIXED JENKINS-14113]

          The proposed fix https://github.com/buckett/jenkins/commit/eec16f1b6156aea76bd0cc6e0262538713ebffb6 has a problem in that it'd allow anything that has the given URL name as a prefix.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy test/src/test/java/jenkins/model/JenkinsTest.java http://jenkins-ci.org/commit/jenkins/4e7a43c5863b5e7ad637a5034f75d3c144c45129 Log: [FIXED JENKINS-14113] The proposed fix https://github.com/buckett/jenkins/commit/eec16f1b6156aea76bd0cc6e0262538713ebffb6 has a problem in that it'd allow anything that has the given URL name as a prefix.
          Hide
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #1762
          [FIXED JENKINS-14113] (Revision 4e7a43c5863b5e7ad637a5034f75d3c144c45129)

          Result = SUCCESS
          Kohsuke Kawaguchi : 4e7a43c5863b5e7ad637a5034f75d3c144c45129
          Files :

          • core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy
          • core/src/main/java/jenkins/model/Jenkins.java
          • test/src/test/java/jenkins/model/JenkinsTest.java
          Show
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #1762 [FIXED JENKINS-14113] (Revision 4e7a43c5863b5e7ad637a5034f75d3c144c45129) Result = SUCCESS Kohsuke Kawaguchi : 4e7a43c5863b5e7ad637a5034f75d3c144c45129 Files : core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy core/src/main/java/jenkins/model/Jenkins.java test/src/test/java/jenkins/model/JenkinsTest.java
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy
          test/src/test/java/jenkins/model/JenkinsTest.java
          http://jenkins-ci.org/commit/jenkins/2f81ae5c3c27941dab7610a679fdd15b8c3177f2
          Log:
          [FIXED JENKINS-14113]

          The proposed fix https://github.com/buckett/jenkins/commit/eec16f1b6156aea76bd0cc6e0262538713ebffb6 has a problem in that it'd allow anything that has the given URL name as a prefix.
          (cherry picked from commit 4e7a43c5863b5e7ad637a5034f75d3c144c45129)

          Conflicts:

          core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy test/src/test/java/jenkins/model/JenkinsTest.java http://jenkins-ci.org/commit/jenkins/2f81ae5c3c27941dab7610a679fdd15b8c3177f2 Log: [FIXED JENKINS-14113] The proposed fix https://github.com/buckett/jenkins/commit/eec16f1b6156aea76bd0cc6e0262538713ebffb6 has a problem in that it'd allow anything that has the given URL name as a prefix. (cherry picked from commit 4e7a43c5863b5e7ad637a5034f75d3c144c45129) Conflicts: core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy

            People

            • Assignee:
              Unassigned
              Reporter:
              buckett Matthew Buckett
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: