Skip to content

Commit

Permalink
[SECURITY-2982] fix session fixation vulnerability
Browse files Browse the repository at this point in the history 
https://issues.jenkins.io/browse/SECURITY-2982
  • Loading branch information
@mallowlabs
mallowlabs committed Dec 25, 2022
1 parent a927a8f commit b73ac28
Showing 1 changed file with 20 additions and 2 deletions.
22 changes: 20 additions & 2 deletions src/main/java/org/jenkinsci/plugins/BitbucketSecurityRealm.java
View file
Expand Up @@ -4,6 +4,8 @@
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.servlet.http.HttpSession;

import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
Expand Down Expand Up @@ -147,11 +149,20 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
return HttpResponses.redirectToContextRoot();
}

if (state == null || !StringUtils.equals(state, (String) request.getSession().getAttribute(STATE_ATTRIBUTE))) {
if (state == null || !StringUtils.equals(state, getSessionAttribute(request, STATE_ATTRIBUTE))) {
LOGGER.log(Level.SEVERE, "doFinishLogin() invalid state parameter");
return HttpResponses.redirectToContextRoot();
}

String referer = getSessionAttribute(request, REFERER_ATTRIBUTE);

// avoid session fixation vulnerability
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
request.getSession(true);

String rawClientSecret = getSecretClientSecret().getPlainText();

Token accessToken = new BitbucketApiService(clientID, rawClientSecret).getTokenByAuthorizationCode(code, null);
Expand All @@ -175,7 +186,6 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
}

// redirect to referer
String referer = (String) request.getSession().getAttribute(REFERER_ATTRIBUTE);
if (referer != null) {
return HttpResponses.redirectTo(referer);
} else {
Expand Down Expand Up @@ -237,6 +247,14 @@ public String getLoginUrl() {
return "securityRealm/commenceLogin";
}

private String getSessionAttribute(StaplerRequest request, String attributeName) {
HttpSession session = request.getSession(false);
if (session == null) {
return null;
}
return (String) session.getAttribute(attributeName);
}

public static final class ConverterImpl implements Converter {

public boolean canConvert(Class type) {
Expand Down

0 comments on commit b73ac28

Please sign in to comment.