Skip to content


Merge pull request #2 from jenkinsci-cert/SECURITY-163
Browse files Browse the repository at this point in the history
[SECURITY-163] Non-browser-based DownloadService
  • Loading branch information
jglick committed Jan 22, 2015
2 parents 16afb73 + 318627d commit 889b46c
Show file tree
Hide file tree
Showing 23 changed files with 13,183 additions and 77 deletions.
22 changes: 22 additions & 0 deletions core/src/main/java/hudson/
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,11 @@
import org.xml.sax.helpers.DefaultHandler;

import static hudson.init.InitMilestone.*;
import hudson.model.DownloadService;
import hudson.util.FormValidation;
import static java.util.logging.Level.WARNING;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

* Manages {@link PluginWrapper}s.
Expand Down Expand Up @@ -775,6 +779,24 @@ public HttpResponse doUploadPlugin(StaplerRequest req) throws IOException, Servl

@RequirePOST public HttpResponse doCheckUpdatesServer() throws IOException {
for (UpdateSite site : Jenkins.getInstance().getUpdateCenter().getSites()) {
FormValidation v = site.updateDirectlyNow(DownloadService.signatureCheck);
if (v.kind != FormValidation.Kind.OK) {
// TODO crude but enough for now
return v;
for (DownloadService.Downloadable d : DownloadService.Downloadable.all()) {
FormValidation v = d.updateNow();
if (v.kind != FormValidation.Kind.OK) {
return v;
return HttpResponses.forwardToPreviousPage();

protected String identifyPluginShortName(File t) {
try {
JarFile j = new JarFile(t);
Expand Down
96 changes: 86 additions & 10 deletions core/src/main/java/hudson/model/
Original file line number Diff line number Diff line change
Expand Up @@ -26,20 +26,25 @@
import hudson.Extension;
import hudson.ExtensionList;
import hudson.ExtensionPoint;
import hudson.ProxyConfiguration;
import hudson.util.FormValidation;
import hudson.util.FormValidation.Kind;
import hudson.util.QuotedStringTokenizer;
import hudson.util.TextFile;
import jenkins.model.Jenkins;
import jenkins.util.JSONSignatureValidator;
import net.sf.json.JSONException;
import org.kohsuke.stapler.Stapler;

import java.util.logging.Logger;

import jenkins.model.DownloadSettings;
import jenkins.model.Jenkins;
import jenkins.util.JSONSignatureValidator;
import net.sf.json.JSONException;
import net.sf.json.JSONObject;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;

Expand All @@ -62,6 +67,9 @@ public class DownloadService extends PageDecorator {
* Builds up an HTML fragment that starts all the download jobs.
public String generateFragment() {
if (!DownloadSettings.usePostBack()) {
return "";
if (neverUpdate) return "";
if (doesNotSupportPostMessage()) return "";

Expand Down Expand Up @@ -135,6 +143,58 @@ public Downloadable getById(String id) {
return null;

* Loads JSON from a JSONP URL.
* Metadata for downloadables and update centers is offered in two formats, both designed for download from the browser (predating {@link DownloadSettings}):
* HTML using {@code postMessage} for newer browsers, and JSONP as a fallback.
* Confusingly, the JSONP files are given the {@code *.json} file extension, when they are really JavaScript and should be {@code *.js}.
* This method extracts the JSON from a JSONP URL, since that is what we actually want when we download from the server.
* (Currently the true JSON is not published separately, and extracting from the {@code *.json.html} is more work.)
* @param src a URL to a JSONP file (typically including {@code id} and {@code version} query parameters)
* @return the embedded JSON text
* @throws IOException if either downloading or processing failed
public static String loadJSON(URL src) throws IOException {
InputStream is =;
try {
String jsonp = IOUtils.toString(is, "UTF-8");
int start = jsonp.indexOf('{');
int end = jsonp.lastIndexOf('}');
if (start >= 0 && end > start) {
return jsonp.substring(start, end + 1);
} else {
throw new IOException("Could not find JSON in " + src);
} finally {

* Loads JSON from a JSON-with-{@code postMessage} URL.
* @param src a URL to a JSON HTML file (typically including {@code id} and {@code version} query parameters)
* @return the embedded JSON text
* @throws IOException if either downloading or processing failed
public static String loadJSONHTML(URL src) throws IOException {
InputStream is =;
try {
String jsonp = IOUtils.toString(is, "UTF-8");
String preamble = "window.parent.postMessage(JSON.stringify(";
int start = jsonp.indexOf(preamble);
int end = jsonp.lastIndexOf("),'*');");
if (start >= 0 && end > start) {
return jsonp.substring(start + preamble.length(), end).trim();
} else {
throw new IOException("Could not find JSON in " + src);
} finally {

* Represents a periodically updated JSON data file obtained from a remote URL.
Expand Down Expand Up @@ -248,26 +308,39 @@ public JSONObject getData() throws IOException {
* This is where the browser sends us the data.
public void doPostBack(StaplerRequest req, StaplerResponse rsp) throws IOException {
long dataTimestamp = System.currentTimeMillis();
due = dataTimestamp+getInterval(); // success or fail, don't try too often

String json = IOUtils.toString(req.getInputStream(),"UTF-8");
FormValidation e = load(json, dataTimestamp);
if (e.kind != Kind.OK) {
throw e;
rsp.setContentType("text/plain"); // So browser won't try to parse response

private FormValidation load(String json, long dataTimestamp) throws IOException {
JSONObject o = JSONObject.fromObject(json);

if (signatureCheck) {
FormValidation e = new JSONSignatureValidator("downloadable '"+id+"'").verifySignature(o);
if (e.kind!= Kind.OK) {
throw e;
return e;

TextFile df = getDataFile();
df.file.setLastModified(dataTimestamp);"Obtained the updated data file for "+id);
return FormValidation.ok();

rsp.setContentType("text/plain"); // So browser won't try to parse response
public FormValidation updateNow() throws IOException {
return load(loadJSONHTML(new URL(getUrl() + ".html?id=" + URLEncoder.encode(getId(), "UTF-8") + "&version=" + URLEncoder.encode(Jenkins.VERSION, "UTF-8"))), System.currentTimeMillis());

Expand Down Expand Up @@ -296,7 +369,10 @@ public static Downloadable get(String id) {
public static boolean neverUpdate = Boolean.getBoolean(DownloadService.class.getName()+".never");

* Off by default until we know this is reasonably working.
* May be used to temporarily disable signature checking on {@link DownloadService} and {@link UpdateCenter}.
* Useful when upstream signatures are broken, such as due to expired certificates.
* Should only be used when {@link DownloadSettings#isUseBrowser};
* disabling signature checks for in-browser downloads is <em>very dangerous</em> as unprivileged users could submit spoofed metadata!
public static boolean signatureCheck = !Boolean.getBoolean(DownloadService.class.getName()+".noSignatureCheck");
Expand Down
2 changes: 1 addition & 1 deletion core/src/main/java/hudson/model/
Original file line number Diff line number Diff line change
Expand Up @@ -630,7 +630,7 @@ public List<Plugin> getUpdates() {
public List<FormValidation> updateAllSites() throws InterruptedException, ExecutionException {
List <Future<FormValidation>> futures = new ArrayList<Future<FormValidation>>();
for (UpdateSite site : getSites()) {
Future<FormValidation> future = site.updateDirectly(true);
Future<FormValidation> future = site.updateDirectly(DownloadService.signatureCheck);
if (future != null) {
Expand Down
71 changes: 28 additions & 43 deletions core/src/main/java/hudson/model/
Original file line number Diff line number Diff line change
Expand Up @@ -27,32 +27,18 @@

import hudson.PluginManager;
import hudson.PluginWrapper;
import hudson.ProxyConfiguration;
import hudson.lifecycle.Lifecycle;
import hudson.model.UpdateCenter.UpdateCenterJob;
import hudson.util.FormValidation;
import hudson.util.FormValidation.Kind;
import hudson.util.HttpResponses;
import hudson.util.TextFile;
import static hudson.util.TimeUnit2.*;
import hudson.util.VersionNumber;
import jenkins.model.Jenkins;
import jenkins.util.JSONSignatureValidator;
import net.sf.json.JSONException;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.export.ExportedBean;
import org.kohsuke.stapler.interceptor.RequirePOST;

import java.util.ArrayList;
Expand All @@ -66,10 +52,23 @@
import java.util.concurrent.Future;
import java.util.logging.Level;
import java.util.logging.Logger;

import static hudson.util.TimeUnit2.*;

import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import jenkins.model.DownloadSettings;
import jenkins.util.JSONSignatureValidator;
import net.sf.json.JSONException;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.export.ExportedBean;
import org.kohsuke.stapler.interceptor.RequirePOST;

* Source of the update center information, like ""
Expand Down Expand Up @@ -154,42 +153,28 @@ public long getDataTimestamp() {
* @return null if no updates are necessary, or the future result
* @since 1.502
public Future<FormValidation> updateDirectly(final boolean signatureCheck) {
public @CheckForNull Future<FormValidation> updateDirectly(final boolean signatureCheck) {
if (! getDataFile().exists() || isDue()) {
return Jenkins.getInstance().getUpdateCenter().updateService.submit(new Callable<FormValidation>() {

public FormValidation call() throws Exception {
URL src = new URL(getUrl() + "?id=" + URLEncoder.encode(getId(),"UTF-8")
+ "&version="+URLEncoder.encode(Jenkins.VERSION, "UTF-8"));
URLConnection conn =;
InputStream is = conn.getInputStream();
try {
String uncleanJson = IOUtils.toString(is,"UTF-8");
int jsonStart = uncleanJson.indexOf("{\"");
if (jsonStart >= 0) {
uncleanJson = uncleanJson.substring(jsonStart);
int end = uncleanJson.lastIndexOf('}');
if (end>0)
uncleanJson = uncleanJson.substring(0,end+1);
return updateData(uncleanJson, signatureCheck);
} else {
throw new IOException("Could not find json in content of " +
"update center from url: "+src.toExternalForm());
} finally {
if (is != null)
@Override public FormValidation call() throws Exception {
return updateDirectlyNow(signatureCheck);
} else {
return null;

public @Nonnull FormValidation updateDirectlyNow(boolean signatureCheck) throws IOException {
return updateData(DownloadService.loadJSON(new URL(getUrl() + "?id=" + URLEncoder.encode(getId(), "UTF-8") + "&version=" + URLEncoder.encode(Jenkins.VERSION, "UTF-8"))), signatureCheck);

* This is the endpoint that receives the update center data file from the browser.
public FormValidation doPostBack(StaplerRequest req) throws IOException, GeneralSecurityException {
return updateData(IOUtils.toString(req.getInputStream(),"UTF-8"), true);

Expand Down
6 changes: 5 additions & 1 deletion core/src/main/java/hudson/util/
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,13 @@ private static FormValidation _errorWithMarkup(final String message, final Kind
return ok();
return new FormValidation(kind, message) {
public String renderHtml() {
StaplerRequest req = Stapler.getCurrentRequest();
if (req == null) { // being called from some other context
return message;
// 1x16 spacer needed for IE since it doesn't support min-height
return "<div class="+ +"><img src='"+
Stapler.getCurrentRequest().getContextPath()+ Jenkins.RESOURCE_PATH+"/images/none.gif' height=16 width=1>"+
req.getContextPath()+ Jenkins.RESOURCE_PATH+"/images/none.gif' height=16 width=1>"+
@Override public String toString() {
Expand Down

0 comments on commit 889b46c

Please sign in to comment.