Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50765

Harden support-core against XXE attacks

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      There are currently three support bundle components that use SecretHandler#findSecrets, which uses a standard XML transformer that does not protect against XXE attacks: ConfigFileComponent, AgentsConfigFile, and OtherConfigFilesComponent.

      ConfigFileComponent and AgentsConfigFile process files controlled by Jenkins core, and there is no way for a non-admin to modify the contents of the files they process except through XStream, which prevents XXE attacks.

      OtherConfigFilesComponent includes all files in $JENKINS_HOME that end with .xml except for credentials.xml and config.xml. If a plugin allows non-admin users to directly change the contents of a file (not using XStream) that ends with .xml in $JENKINS_HOME then that would allow an attacker to store an XXE attack for later execution when an admin generates a bundle that includes the OtherConfigFilesComponent.

      Any plugin that gives non-admin users unrestricted access to a file in Jenkins home is likely a problem by itself, and only admins can install plugins, so I don't consider this to be a problem in practice. Even so, it is easy enough to harden the plugin against this type of issue just in case.

        Attachments

          Activity

          dnusbaum Devin Nusbaum created issue -
          dnusbaum Devin Nusbaum made changes -
          Field Original Value New Value
          Status Open [ 1 ] In Progress [ 3 ]
          dnusbaum Devin Nusbaum made changes -
          Status In Progress [ 3 ] In Review [ 10005 ]
          dnusbaum Devin Nusbaum made changes -
          Link This issue is duplicated by SECURITY-448 [ SECURITY-448 ]
          dnusbaum Devin Nusbaum made changes -
          Remote Link This issue links to "jenkinsci/support-core-plugin#141 (Web Link)" [ 20413 ]
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Devin Nusbaum
          Path:
          src/main/java/com/cloudbees/jenkins/support/configfiles/SecretHandler.java
          src/test/java/com/cloudbees/jenkins/support/configfiles/SecretHandlerTest.java
          http://jenkins-ci.org/commit/support-core-plugin/59261ba0355b403f42e6a8f205f87a6d5758d3d9
          Log:
          Merge pull request #141 from dwnusbaum/harden-against-xxe

          JENKINS-50765 Defend SecretHandler from XXE attacks

          Compare: https://github.com/jenkinsci/support-core-plugin/compare/132c99f32b29...59261ba0355b

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Devin Nusbaum Path: src/main/java/com/cloudbees/jenkins/support/configfiles/SecretHandler.java src/test/java/com/cloudbees/jenkins/support/configfiles/SecretHandlerTest.java http://jenkins-ci.org/commit/support-core-plugin/59261ba0355b403f42e6a8f205f87a6d5758d3d9 Log: Merge pull request #141 from dwnusbaum/harden-against-xxe JENKINS-50765 Defend SecretHandler from XXE attacks Compare: https://github.com/jenkinsci/support-core-plugin/compare/132c99f32b29...59261ba0355b
          Hide
          dnusbaum Devin Nusbaum added a comment -

          Released in 2.47. See the changelog.

          Show
          dnusbaum Devin Nusbaum added a comment - Released in 2.47. See the changelog .
          dnusbaum Devin Nusbaum made changes -
          Status In Review [ 10005 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          jamesdumay James Dumay made changes -
          Remote Link This issue links to "CloudBees Internal OSS-2691 (Web Link)" [ 20534 ]

            People

            • Assignee:
              dnusbaum Devin Nusbaum
              Reporter:
              dnusbaum Devin Nusbaum
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: