[SECURITY-3033] Submit POST requests as needed #155
Conversation
|
Maintainers are gone, eh? what should we do then? Do you need more manual testing? |
|
Last PR that was merged has this comment CC @GLundh |
|
Note that in jenkins-infra/update-center2@fcb1ae7#r121610706 the maintainer informed us they have no time to maintain the plugin anymore. As a user, you could download and install the CI build ("incremental") to address the issue (note that the warning shown on the UI needs to be dismissed manually). As a Java developer, consider becoming a maintainer of this plugin. I am not a maintainer of this plugin, nor do I want to become one. |
|
Downloaded and installed the "incremental" build as Daniel suggested, works fine in production, thank you. |
|
We've also been using this for a while now (thank you @daniel-beck for the SECURITY-3033 fix!!), and I think the new AbstractRebuildAction action.jelly introduces a minor bug that isn't present in rebuilder 320.v5a_0933a_e7d61. The RebuildAction works great if clicked from the same pane as the AbstractBuild, but it gets the URL wrong if clicked from within a different action, such as hudson.model.ParametersAction. For example, if I have a completed parameterized build I'm not very familiar with modern Jenkins code, so it's not clear to me whether this is a problem with the href provided by the RebuildAction, or if that is the expected behavior when the jelly for one action gets rendered by a different one (as in the |
|
Oversight when I wrote the custom |
src/test/java/com/sonyericsson/rebuild/RebuildValidatorTest.java
Outdated
Show resolved
Hide resolved
|
do we want to link https://issues.jenkins.io/browse/JENKINS-71932 and assign to you @daniel-beck ? |
|
I'm not sure filing an issue for an open PR makes sense. Who's the audience of that? As I wrote further up, I'm not interested in maintaining this plugin, so this PR should be considered unsupported, and I'm certainly not keeping an eye on newly reported issues; and any maintainers aren't responsible for my mistakes (at least until they merge them). |
just thinking... I created https://issues.jenkins.io/browse/JENKINS-71932 not realizing it was related to this change -- and now it's fixed so just wondering best way to mark https://issues.jenkins.io/browse/JENKINS-71932 resolved? |
|
@GLundh Could you please take a look at this PR? I know it's rude to ask someone to maintain an open source PR, I am very sorry. But this PR is really very important, as it blocks all further upgrade and keeps warn about security issue. If this PR could be approved and merged into master, it will solve many issues. |
Can someone please review this PR... |
|
LGTM. |
|
Now we need to push out a new release.. |
|
Hi guys, huge thanks for this awesome work ! @GLundh do you know when a new release will be available so the plugin can get rid of its CSRF vulnerability tag ? |
|
Not sure how automated releases work. I did not carry out the last release: #136 |
|
I'm afraid I'm not really familiar with the automated release system either.. @timja could you enlighten us with your knowledge on what to do to create a release ? Thanks a lot |
|
Seems that there should be label on PR, from interesting categories |
|
Apparently, the current version of the plugin is still being listed as being affected by the issue fixed in this PR |
The warning comes from https://github.com/jenkins-infra/update-center2/blob/ed6bf6344f5b172864b4cceea788fc169bdb12f8/resources/warnings.json#L16396-L16408 To remove it, a pull request like https://github.com/jenkins-infra/update-center2/pulls?q=is%3Apr+%22remove+warning%22 has to be opened, approved and merged. |
|
I created the pull request |
|
Hi folks, I opened #158 that adds a null check after getting a NPE when upgrading to this version. In our case we needed to pin the plugin back to v320 to move forward. |
This is an attempt to resolve SECURITY-3033.
It's a lot more complex than the usual solution of adding
@POSTor@RequirePOSTto a web method and calling it a day.First, the sidebar link directly intiates the action, so this needed a
task.jellyfor that that sets the<l:task post="true"/>attribute.The next problem is that
RebuildAction#doIndexdoes everything (meaning, triggering a build or redirecting to the form to set parameters), depending on the configuration. Adding@RequirePOSTor@POSTwould secure the part that triggers a build, but<l:task post="true" …>doesn't redirect to theLocationreturned from the response, so if a form needs to be filled, that would never happen ifpost="true"is set unconditionally.Additionally,
#getUrlNamecannot end in a slash, but an<l:task href="${action.urlName}" post="true" … />doesn't work, as the Stapler-internal forward from…/rebuildto…/rebuild/loses the HTTP POST method. So introduce#getTaskUrland link there instead.So the
task.jellyneeded a way to determine whether to send a POST request or not, beforehand. This was straightforward enough for the regularRebuildAction(for builds), but the job-scopedRebuildLastCompletedBuildActioncould not call intoRebuildActionafter looking it up on the build, since everything was operating on Stapler ancestors -- and there's no build ancestor when on the project page.So, some cleanup:
RebuildActionis no longer a superclass ofRebuildLastCompletedBuildAction, both now share the common ancestorAbstractRebuildAction, which provides the newtask.jellyshared between the two. MakeRebuildActionaRunAction2(for backwards compatibility whenRebuildActionwas persisted with builds, newly removed here) and provide theRunto it. Remove all code fromRebuildersince everything is transient now; instead haveRebuildActionFactory(no longer aTransientBuildActionFactory) check whether a persisted action already exists before attaching a transient one.This PR also deletes a bunch of code that appears long obsolete. I urge maintainers tempted to merge this to double-check; I am unaware why this code has been kept around for many years and there may be a good reason to have done this.
Jobs without builds now no longer allow "Rebuild Last"), because that seemed weird to work in the first place.
Testing done
Configured three freestyle projects (no params, params, and params with auto-rebuild) and clicked the actions. They seemed about correct.
I have tested with the persisted action a bit (rebuild of historical builds both with and without parameters, checking there's no second action), but not extensively.
Additionally, if someone else wants to take this on, I strongly recommend adding tests with historical build records with persisted
RebuildAction, as well as adding tests confirming the effectiveness of the security fix (basically, what the tests kind of did until they were adapted, except withassertThrowsso they pass). Any obscure undocumented use cases (e.g., "expect reasonable outcome when someone navigates to…/rebuilddirectly and a parameters page should show up") will need to have tests added as well.Submitter checklist