Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23165

Config.gerritAuthKeyFilePassword stored in plaintext

    Details

    • Similar Issues:

      Description

      Secrets should never be stored in plaintext, and once stored, should never be sent back to the browser in plaintext. Declare the field and the bean property to be of type hudson.util.Secret, so it is protected by the master key. Form data binding with <f:password> and @DataBoundConstructor automatically deals with this; since you seem to be managing this form manually, just use fromString to convert an initially entered password, and for round-trips use getEncryptedValue and again fromString. XStream serialization will properly automatically. PR upon request.

        Attachments

          Activity

          Hide
          rin_ne rin_ne added a comment - - edited

          Secret.fromString() raises NPE when given parameter is null or empty string.

          Sorry, my bad. Test has no Jenkins instance.

          Show
          rin_ne rin_ne added a comment - - edited Secret.fromString() raises NPE when given parameter is null or empty string. Sorry, my bad. Test has no Jenkins instance.
          Show
          rin_ne rin_ne added a comment - PR: https://github.com/jenkinsci/gerrit-trigger-plugin/pull/157
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: rinrinne
          Path:
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/ConfigTest.java
          http://jenkins-ci.org/commit/gerrit-trigger-plugin/7d6bcae8a93087d97cbfaece7099f8afdde7bf49
          Log:
          Store encrypted password

          Now password for SSH authentication file is stored as plain text.

          This patch fixes it. Already stored password would be replaced to
          encrypted ones if config is saved once.

          Fix for JENKINS-23165

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: rinrinne Path: src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/ConfigTest.java http://jenkins-ci.org/commit/gerrit-trigger-plugin/7d6bcae8a93087d97cbfaece7099f8afdde7bf49 Log: Store encrypted password Now password for SSH authentication file is stored as plain text. This patch fixes it. Already stored password would be replaced to encrypted ones if config is saved once. Fix for JENKINS-23165
          Hide
          jglick Jesse Glick added a comment -

          As mentioned in the PR,

          should never be sent back to the browser in plaintext

          does not seem to be satisfied.

          Show
          jglick Jesse Glick added a comment - As mentioned in the PR, should never be sent back to the browser in plaintext does not seem to be satisfied.
          Show
          rin_ne rin_ne added a comment - PR: https://github.com/jenkinsci/gerrit-trigger-plugin/pull/158
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: rinrinne
          Path:
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/IGerritHudsonTriggerConfig.java
          src/main/resources/com/sonyericsson/hudson/plugins/gerrit/trigger/GerritServer/index.jelly
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/ConfigTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/mock/MockGerritHudsonTriggerConfig.java
          http://jenkins-ci.org/commit/gerrit-trigger-plugin/d402536e48c300aa435c3f3e519e7754fc769ecf
          Log:
          Prevent to send plaintext password to browser

          Fix for JENKINS-23165 and pull #157

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: rinrinne Path: src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/IGerritHudsonTriggerConfig.java src/main/resources/com/sonyericsson/hudson/plugins/gerrit/trigger/GerritServer/index.jelly src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/ConfigTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/mock/MockGerritHudsonTriggerConfig.java http://jenkins-ci.org/commit/gerrit-trigger-plugin/d402536e48c300aa435c3f3e519e7754fc769ecf Log: Prevent to send plaintext password to browser Fix for JENKINS-23165 and pull #157

            People

            • Assignee:
              rsandell rsandell
              Reporter:
              jglick Jesse Glick
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: