Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35967

Hardening: Jenkins should not allow creating users like " system " or "anonymous "

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      Got into case during the fix of JENKINS-33600. I do not see any exploits in the code, but seems SECURITY-166 by Ryan Campbell was not enough aggressive in String checking.

      This code allows non-trimmed restricted usernames, hence I was able to create the " anonymous " account with "Anonymous " full name. The same can be done for SYSTEM as well. UIs do not present such trailing spaces, hence UI looks to be "fine"

      I have not obvious exploits in the code, but this logic gap may be a security issue if a plugin does not work with user IDs with spaces.

      Is it a security issue or should we handle it as a common bug?

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            It's not clear to me how this would be exploitable to result in a loss of confidentiality, integrity, or availability.

            Basically, it looks like https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N

            It confuses users, and that's about it.

            Show
            danielbeck Daniel Beck added a comment - It's not clear to me how this would be exploitable to result in a loss of confidentiality, integrity, or availability. Basically, it looks like https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N It confuses users, and that's about it.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            "Yes" if all plugins handle spaces correctly (Inclusing security realms, etc.).
            For me NO_ISSUE is fine, so I'm ready convert it to a common issue

            Show
            oleg_nenashev Oleg Nenashev added a comment - "Yes" if all plugins handle spaces correctly (Inclusing security realms, etc.). For me NO_ISSUE is fine, so I'm ready convert it to a common issue
            Hide
            danielbeck Daniel Beck added a comment -

            I can understand the problem with people doing a String#equals and that resulting in problems for real names (e.g. "SYSTEM"), but to also include trimming? Possibly equalsIgnoreCase?

            Does anyone else see a potential vulnerability here?

            Show
            danielbeck Daniel Beck added a comment - I can understand the problem with people doing a String#equals and that resulting in problems for real names (e.g. "SYSTEM"), but to also include trimming? Possibly equalsIgnoreCase? Does anyone else see a potential vulnerability here?
            Hide
            jglick Jesse Glick added a comment -

            Not that I can see.

            Show
            jglick Jesse Glick added a comment - Not that I can see.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Moving to JENKINS then

            Show
            oleg_nenashev Oleg Nenashev added a comment - Moving to JENKINS then
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            core/src/main/java/hudson/model/User.java
            core/src/test/java/hudson/model/UserTest.java
            http://jenkins-ci.org/commit/jenkins/7d886ce9fbcb04b627aed34be8f6382f42cf788c
            Log:
            [FIXED JENKINS-35967] - Make User#isIdOrFullnameAllowed() more robust against restricted usernames (#2413)

            This change hardens username verification in user creation commands. See the issue to get rexamples.

            https://issues.jenkins-ci.org/browse/JENKINS-35967

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/hudson/model/User.java core/src/test/java/hudson/model/UserTest.java http://jenkins-ci.org/commit/jenkins/7d886ce9fbcb04b627aed34be8f6382f42cf788c Log: [FIXED JENKINS-35967] - Make User#isIdOrFullnameAllowed() more robust against restricted usernames (#2413) This change hardens username verification in user creation commands. See the issue to get rexamples. https://issues.jenkins-ci.org/browse/JENKINS-35967
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Released in 2.26

            Show
            oleg_nenashev Oleg Nenashev added a comment - Released in 2.26

              People

              • Assignee:
                oleg_nenashev Oleg Nenashev
                Reporter:
                oleg_nenashev Oleg Nenashev
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: