Details

    • Similar Issues:

      Description

      The current implementation does not support the `state` parameter in the oAuth2 authorization request it sends to the Github AS when attempting to authorize the plugin for a user.  As such, it is vulnerable to CSRF attacks against redirect URI as described in [1]

       The state parameter is supported by the Github API [2] , so support could be added in the github-oauth-plugin also.

       

      [1] https://tools.ietf.org/html/rfc6819#section-4.4.1.8
      [2] https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow

        Attachments

          Activity

          Hide
          ikakavas Ioannis Kakavas added a comment -
          Show
          ikakavas Ioannis Kakavas added a comment - I opened https://github.com/jenkinsci/github-oauth-plugin/pull/107 to resolve this issue.
          Hide
          sag47 Sam Gleske added a comment -

          Resolving as fixed in 0.33 (originally attempted rolling out 0.32 but it had critical authorization bugs).

          In the future, please do not disclose security vulnerabilities like this in the public issue tracker. Responsibly disclose by following https://jenkins.io/security/

          Show
          sag47 Sam Gleske added a comment - Resolving as fixed in 0.33 (originally attempted rolling out 0.32 but it had critical authorization bugs). In the future, please do not disclose security vulnerabilities like this in the public issue tracker. Responsibly disclose by following https://jenkins.io/security/
          Hide
          sag47 Sam Gleske added a comment - - edited

          Thanks for the fix.

          Show
          sag47 Sam Gleske added a comment - - edited Thanks for the fix.

            People

            • Assignee:
              sag47 Sam Gleske
              Reporter:
              ikakavas Ioannis Kakavas
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: