Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45622

Jenkins-CLI web page URL is the same as for invoking the CLI

    Details

    • Type: Improvement
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: cli
    • Labels:
      None
    • Environment:
      version 2.60.1
    • Similar Issues:

      Description

      The informational web page for the Jenkins CLI is reached via the URL [jenkins server URL]/cli in a web browser. Any attempt to actually use the CLI goes through the same URL. This presents a serious problem in the following case:

      our organization provides authentication through a corporate servlet filter which must be enabled by adding a filter to web.xml:

      <!-- Insert corporateLevel Security Framework -->
       <filter>
       <filter-name>Corporate Security Filter</filter-name>
       <filter-class>com.whatever.cadi.filter.CadiFilter</filter-class>
       <init-param>
       <param-name>cadi_prop_files</param-name>
       <param-value>/home/jenkins/jenkins/data/war/WEB-INF/cadi.properties</param-value>
       </init-param>
       <init-param>
       <param-name>cadi_noauthn</param-name>
       <!-- <param-value>/git:/jnlpJars:/css:/cli</param-value> -->
       <param-value>/git:/jnlpJars:/css:</param-value>
      
      </init-param>
       </filter>
       <filter-mapping>
       <filter-name>Corporate Security Filter</filter-name>
       <url-pattern>/*</url-pattern>
       </filter-mapping>
       <!-- COPY END -->
       

      Originally, this filter came with instructions to use the commented-out line

       <!-- <param-value>/git:/jnlpJars:/css:/cli</param-value> -->

      But this provides a back door that allows non-authenticated users to access the web interface without going through the filter.

      Changing it as we did above to

       <param-value>/git:/jnlpJars:/css:</param-value>

       stops this access but causes the cli not to work - attempts to access it by command such as

      java -jar /path/to/jenkins-cli.jar -s http://[JENKINS_URL]/jenkins -http -auth @[HOME]/.jenkins-cli help

      as described on the Jenkins CLI Http Connection doc gets transformed into

      http://[JENKINS_URL]/jenkins/cli?remoting=false

      and gives a 401 error.

      Is there any reason WHY the URL accessing the cli itself has to be the same as the URL for accessing the information page about the CLI?  If the latter was accessible via a URL such as

      http://[JENKINS_URL]/jenkins/cli-info

      then the two cases could be differentiated and a filter such as described above could work correctly in both cases - preventing access to the info page just like the rest of the UI without authentication, but allowing actual command line access with the -auth mechanism.

       

       

       

        Attachments

          Activity

          Hide
          sc1478 Steve Cohen added a comment -

          Substantially worked around problem by using the SSH facility for the CLI rather than the -http facility.  However, I still think it's poor practice to have the URL that shows an informational page about CLI use the same URL as that invoked by the command line interface.

          Show
          sc1478 Steve Cohen added a comment - Substantially worked around problem by using the SSH facility for the CLI rather than the -http facility.  However, I still think it's poor practice to have the URL that shows an informational page about CLI use the same URL as that invoked by the command line interface.
          Hide
          danielbeck Daniel Beck added a comment -

          serious problem

          It's not clear why this is needed; what exactly is the danger of showing some documentation directly from Jenkins sources? It's not like this is going to be unique to your instance.

          Anyway, this works as intended, so considering this request an improvement.

          Show
          danielbeck Daniel Beck added a comment - serious problem It's not clear why this is needed; what exactly is the danger of showing some documentation directly from Jenkins sources? It's not like this is going to be unique to your instance. Anyway, this works as intended, so considering this request an improvement.
          Hide
          sc1478 Steve Cohen added a comment -

          The problem i still see consists in this:

          Jenkins documentation recommends (sorry, I can't find the link but maybe you know it) that cli not be subject to security, so the cli will work.  That is the reason why it was included in the filter above.  If this is done, the same URL is used for looking at the information page, and authentication challenge does not occur.  Once in, the user seems to be able to get to other pages, which, had he attempted to access them directly, would have prompted the authentication challenge.  This is the problem.  My immediate problem was solved by only using SSH and NOT allowing cli requests to proceed unauthenticated, but it is a security hole in my opinion.

           

          Show
          sc1478 Steve Cohen added a comment - The problem i still see consists in this: Jenkins documentation recommends (sorry, I can't find the link but maybe you know it) that cli not be subject to security, so the cli will work.  That is the reason why it was included in the filter above.  If this is done, the same URL is used for looking at the information page, and authentication challenge does not occur.  Once in, the user seems to be able to get to other pages, which, had he attempted to access them directly, would have prompted the authentication challenge.  This is the problem.  My immediate problem was solved by only using SSH and NOT allowing cli requests to proceed unauthenticated, but it is a security hole in my opinion.  

            People

            • Assignee:
              Unassigned
              Reporter:
              sc1478 Steve Cohen
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: