Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15213

email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: email-ext-plugin
    • Labels:
      None
    • Environment:
      Since 2.22, including 2.24.1
    • Similar Issues:

      Description

      The ability to run a script prior to sending email was introduced in email-ext, a plugin with 10k+ installations, version 2.22 for JENKINS-12421.

      This allows users to exploit their job configure privilege for a single job to gain access to all of Jenkins, circumventing any security measures.

      Steps to reproduce

      1. In project based matrix security (most severe permissions issue), give "User" overall read permission. Create job "Job" and give read/configure/build permissions to "User"
      2. Log out and back in as "User"
      3. Configure "Job" to send email-ext (upon success).
      4. Set the pre-build script to e.g. "Hudson.instance.doQuietDown()" or "Hudson.instance.projects.each

      { it.disable() }

      "
      5. Start a build

      Result

      Jenkins is quieting down, or all projects have been disabled, depending on the script. Everything else is possible as well.

      Notes

      This feature cannot be deactivated, like Groovy Postbuild's "restrict access to internal objects", or used in a safe way by privileged users only, like Groovy's requiring administration permissions for adding or editing Groovy System build steps.

      This issue is identical to SECURITY-35 of June 23rd. Maybe it will get a better response as a public issue.

        Attachments

          Activity

          Hide
          slide_o_mix Alex Earl added a comment -

          Thanks for bringing this up, most devs don't get copied on SECURITY issues, so that's why it hasn't been looked at. I'll at it soon.

          Show
          slide_o_mix Alex Earl added a comment - Thanks for bringing this up, most devs don't get copied on SECURITY issues, so that's why it hasn't been looked at. I'll at it soon.
          Hide
          slide_o_mix Alex Earl added a comment -

          Yes, in fact I don't even have access to SECURITY-35, so it would have never been seen.

          Show
          slide_o_mix Alex Earl added a comment - Yes, in fact I don't even have access to SECURITY-35, so it would have never been seen.
          Hide
          slide_o_mix Alex Earl added a comment -

          Need to have a new LTS released which fixes the readonly textarea issue.

          Show
          slide_o_mix Alex Earl added a comment - Need to have a new LTS released which fixes the readonly textarea issue.
          Hide
          slide_o_mix Alex Earl added a comment -

          Groovy Postbuild's security is easily bypassed, I can add imports at the top of the post-build script and access the Jenkins/Hudson instance all I want, even with the security enabled. I need to research this more, something along the lines of a sandbox if something like that exists.

          Show
          slide_o_mix Alex Earl added a comment - Groovy Postbuild's security is easily bypassed, I can add imports at the top of the post-build script and access the Jenkins/Hudson instance all I want, even with the security enabled. I need to research this more, something along the lines of a sandbox if something like that exists.
          Hide
          slide_o_mix Alex Earl added a comment -

          I've decided to use the groovy sandbox to disallow interaction with the Jenkins instance when security is enabled for the pre-send script.

          Show
          slide_o_mix Alex Earl added a comment - I've decided to use the groovy sandbox to disallow interaction with the Jenkins instance when security is enabled for the pre-send script.
          Hide
          slide_o_mix Alex Earl added a comment -

          Added a sandbox around the pre-send script execution that when security is enabled the user will not be able to access the Jenkins/Hudson instance. This is different than the implementation used in the groovy postbuild plugin which can easily be subverted.

          Show
          slide_o_mix Alex Earl added a comment - Added a sandbox around the pre-send script execution that when security is enabled the user will not be able to access the Jenkins/Hudson instance. This is different than the implementation used in the groovy postbuild plugin which can easily be subverted.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Alex Earl
          Path:
          src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java
          src/main/java/hudson/plugins/emailext/ExtendedEmailPublisherDescriptor.java
          src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.jelly
          src/main/webapp/help/globalConfig/security.html
          http://jenkins-ci.org/commit/email-ext-plugin/062f768561cb0e9b64331b8a43a2820d52971751
          Log:
          Fix JENKINS-15213

          Allow administrator to enable security for pre-send scripts. This is a
          breaking change for current pre-send scripts.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alex Earl Path: src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java src/main/java/hudson/plugins/emailext/ExtendedEmailPublisherDescriptor.java src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.jelly src/main/webapp/help/globalConfig/security.html http://jenkins-ci.org/commit/email-ext-plugin/062f768561cb0e9b64331b8a43a2820d52971751 Log: Fix JENKINS-15213 Allow administrator to enable security for pre-send scripts. This is a breaking change for current pre-send scripts.

            People

            • Assignee:
              slide_o_mix Alex Earl
              Reporter:
              danielbeck Daniel Beck
            • Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: