Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42556

PlaceholderTask.runForDisplay vulnerable to AccessDeniedException

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Resuming build at ... after Jenkins restart
      [Pipeline] End of Pipeline
      java.io.IOException: Failed to load build state
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$3.onSuccess(CpsFlowExecution.java:610)
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$3.onSuccess(CpsFlowExecution.java:608)
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$4$1.run(CpsFlowExecution.java:651)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:35)
      	at ...
      Caused by: org.acegisecurity.AccessDeniedException: Please login to access job ...
      	at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
      	at jenkins.model.Jenkins.getItem(Jenkins.java:324)
      	at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
      	at hudson.model.Run.fromExternalizableId(Run.java:2314)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.runForDisplay(ExecutorStepExecution.java:385)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.getDisplayName(ExecutorStepExecution.java:398)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.getFullDisplayName(ExecutorStepExecution.java:407)
      	at org.jenkinsci.plugins.workflow.support.pickles.ExecutorPickle$1.printWaitingMessage(ExecutorPickle.java:116)
      	at org.jenkinsci.plugins.workflow.support.pickles.TryRepeatedly$1.run(TryRepeatedly.java:95)
      	at ...
      

      Presumably there is no anonymous read access, and the Timer thread used by TryRepeatedly neglected to impersonate SYSTEM.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/security/ImpersonatingExecutorService.java
            core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java
            core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java
            http://jenkins-ci.org/commit/jenkins/98bb78ff1891bb85471a089977066c4b4a11b261
            Log:
            JENKINS-42556 Updating since tags for #2792.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ImpersonatingExecutorService.java core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java http://jenkins-ci.org/commit/jenkins/98bb78ff1891bb85471a089977066c4b4a11b261 Log: JENKINS-42556 Updating since tags for #2792.
            Hide
            danielbeck Daniel Beck added a comment -

            Jesse Glick Is this a useful LTS candidate?

            Show
            danielbeck Daniel Beck added a comment - Jesse Glick Is this a useful LTS candidate?
            Hide
            jglick Jesse Glick added a comment -

            Well…it is relatively risky, and this particular bug symptom has an independent workaround, so I am not sure I would recommend it for backport.

            Show
            jglick Jesse Glick added a comment - Well…it is relatively risky, and this particular bug symptom has an independent workaround, so I am not sure I would recommend it for backport.
            Hide
            danielbeck Daniel Beck added a comment -

            Not an LTS candidate then.

            Show
            danielbeck Daniel Beck added a comment - Not an LTS candidate then.
            Hide
            jglick Jesse Glick added a comment -

            Found another effect of this. On 2.46.x (prior to this fix), a Pipeline virtual thread dump like /job/…/…/threadDump/ will show, e.g.,

            Thread #…
            	at DSL.node(node block appears to be neither running nor scheduled)
            	at WorkflowScript.run(WorkflowScript:…)
            

            when there is a node block waiting in queue but the system has no anonymous read access. This is because ExecutorStepExecution.getStatus checks Queue.getItems, which as of SECURITY-186 is a permission-controlled call, which would in fact work if called under the authentication of the user looking at the thread dump (who presumably has READ on that job); yet StepExecution.getStatusBounded runs inside Timer, thus as anonymous.

            Show
            jglick Jesse Glick added a comment - Found another effect of this. On 2.46.x (prior to this fix), a Pipeline virtual thread dump like /job/…/…/threadDump/ will show, e.g., Thread #… at DSL.node(node block appears to be neither running nor scheduled) at WorkflowScript.run(WorkflowScript:…) when there is a node block waiting in queue but the system has no anonymous read access. This is because ExecutorStepExecution.getStatus checks Queue.getItems , which as of SECURITY-186 is a permission-controlled call, which would in fact work if called under the authentication of the user looking at the thread dump (who presumably has READ on that job); yet StepExecution.getStatusBounded runs inside Timer , thus as anonymous.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: