Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50765

Harden support-core against XXE attacks


    • Similar Issues:


      There are currently three support bundle components that use SecretHandler#findSecrets, which uses a standard XML transformer that does not protect against XXE attacks: ConfigFileComponent, AgentsConfigFile, and OtherConfigFilesComponent.

      ConfigFileComponent and AgentsConfigFile process files controlled by Jenkins core, and there is no way for a non-admin to modify the contents of the files they process except through XStream, which prevents XXE attacks.

      OtherConfigFilesComponent includes all files in $JENKINS_HOME that end with .xml except for credentials.xml and config.xml. If a plugin allows non-admin users to directly change the contents of a file (not using XStream) that ends with .xml in $JENKINS_HOME then that would allow an attacker to store an XXE attack for later execution when an admin generates a bundle that includes the OtherConfigFilesComponent.

      Any plugin that gives non-admin users unrestricted access to a file in Jenkins home is likely a problem by itself, and only admins can install plugins, so I don't consider this to be a problem in practice. Even so, it is easy enough to harden the plugin against this type of issue just in case.




            • Assignee:
              dnusbaum Devin Nusbaum
              dnusbaum Devin Nusbaum
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: