Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28298

Can bypass the security check of authorize-project with CLI and REST of Jenkins 1.580.1

    Details

    • Similar Issues:

      Description

      When running tests of authorize-project with Jenkins 1.580.1, tests failed as following:

      SpecificUsersAuthorizationStrategyTest.testCliFailure:689 Values should be different. Actual: 0
      SpecificUsersAuthorizationStrategyTest.testRestInterfaceFailure:525 null
      

      This might mean you can bypass the security checks of authorize-project.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1
            Log:
            JENKINS-28298 Targets Jenkins-1.625.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/fa7ca0de7585a2334f52e72489a3e509f656eef1 Log: JENKINS-28298 Targets Jenkins-1.625.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f
            Log:
            JENKINS-28298 Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/ad44c7fb40382d3be87322d4facb4f981e5d4e0f Log: JENKINS-28298 Made `ProjectQueueItemAuthenticatorTest#testWorkflow` to work with strategyEnableMap.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
            http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143
            Log:
            [FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java http://jenkins-ci.org/commit/authorize-project-plugin/084778c790a055c1643252d4e1a48db04c63f143 Log: [FIXED JENKINS-28298] Call `XStream2#addCriticalField` to reject unauthenticated configurations.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java
            src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java
            http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4
            Log:
            Merge pull request #21 from ikedam/feature/JENKINS-28298_addCriticalField

            JENKINS-28298 Reject unauthenticated configurations via REST / CLI

            Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectProperty.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectStrategyDescriptor.java src/main/java/org/jenkinsci/plugins/authorizeproject/AuthorizeProjectUtil.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SystemAuthorizationStrategy.java src/test/java/org/jenkinsci/plugins/authorizeproject/ProjectQueueItemAuthenticatorTest.java http://jenkins-ci.org/commit/authorize-project-plugin/5bcf6ca30231ee09970f6b7b1a1eedefce126bb4 Log: Merge pull request #21 from ikedam/feature/ JENKINS-28298 _addCriticalField JENKINS-28298 Reject unauthenticated configurations via REST / CLI Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/acf51252b1b0...5bcf6ca30231
            Hide
            ikedam ikedam added a comment -

            Fixed in authorize-project-1.2.0.
            It will be available in the update center in a day.

            Show
            ikedam ikedam added a comment - Fixed in authorize-project-1.2.0. It will be available in the update center in a day.

              People

              • Assignee:
                ikedam ikedam
                Reporter:
                ikedam ikedam
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: