Skip to content

Commit

Permalink
[JENKINS-73422] Add escape hatch for Authenticated user access to Res…
Browse files Browse the repository at this point in the history
…ource URL (jenkinsci#9644)

Co-authored-by: Daniel Beck <[email protected]>
(cherry picked from commit 5fe9a44)
  • Loading branch information
Dohbedoh authored and krisstern committed Sep 16, 2024
1 parent 71321fa commit 8fdfb98
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ public Object getDynamic(String id, StaplerRequest req, StaplerResponse rsp) thr
return null;
}

if (!ACL.isAnonymous2(Jenkins.getAuthentication2())) {
if (!ALLOW_AUTHENTICATED_USER && !ACL.isAnonymous2(Jenkins.getAuthentication2())) {
rsp.sendError(400);
return null;
}
Expand Down Expand Up @@ -327,4 +327,8 @@ private static Token decode(String value) {
// Not @Restricted because the entire class is
@SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
public static /* not final for Groovy */ int VALID_FOR_MINUTES = SystemProperties.getInteger(ResourceDomainRootAction.class.getName() + ".validForMinutes", 30);

/* Escape hatch for a security hardening preventing one of the known ways to elevate arbitrary file read to RCE */
@SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
public static /* not final for Groovy */ boolean ALLOW_AUTHENTICATED_USER = SystemProperties.getBoolean(ResourceDomainRootAction.class.getName() + ".allowAuthenticatedUser", false);
}
10 changes: 9 additions & 1 deletion test/src/test/java/jenkins/security/ResourceDomainTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@ public HttpResponse doDynamic() throws Exception {
}

@Test
public void authenticatedCannotAccessResourceDomain() throws Exception {
public void authenticatedCannotAccessResourceDomainUnlessAllowedBySystemProperty() throws Exception {
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
final MockAuthorizationStrategy authorizationStrategy = new MockAuthorizationStrategy();
authorizationStrategy.grant(Jenkins.ADMINISTER).everywhere().to("admin").grant(Jenkins.READ).everywhere().toEveryone();
Expand All @@ -416,5 +416,13 @@ public void authenticatedCannotAccessResourceDomain() throws Exception {
try (JenkinsRule.WebClient wc = j.createWebClient().withBasicCredentials("admin")) {
assertThat(assertThrows(FailingHttpStatusCodeException.class, () -> wc.getPage(new URL(resourceUrl))).getStatusCode(), is(400));
}

ResourceDomainRootAction.ALLOW_AUTHENTICATED_USER = true;
try (JenkinsRule.WebClient wc = j.createWebClient().withBasicApiToken("admin")) {
assertThat(wc.getPage(new URL(resourceUrl)).getWebResponse().getStatusCode(), is(200));
}
try (JenkinsRule.WebClient wc = j.createWebClient().withBasicCredentials("admin")) {
assertThat(wc.getPage(new URL(resourceUrl)).getWebResponse().getStatusCode(), is(200));
}
}
}

0 comments on commit 8fdfb98

Please sign in to comment.