Skip to content

Commit

Permalink
[SECURITY-2443]
Browse files Browse the repository at this point in the history
  • Loading branch information
yaroslavafenkin authored and dwnusbaum committed Feb 9, 2022
1 parent 3dc7fb4 commit 886676e
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,10 @@
import hudson.model.Action;
import hudson.model.Cause;
import hudson.model.CauseAction;
import hudson.model.Failure;
import hudson.model.Item;
import hudson.model.ParametersAction;
import hudson.model.PasswordParameterValue;
import hudson.model.Queue;
import hudson.model.Run;
import hudson.model.queue.QueueTaskFuture;
Expand Down Expand Up @@ -262,12 +264,22 @@ public void doRebuild(StaplerRequest req, StaplerResponse rsp) throws ServletExc
}
actions.add(new ReplayFlowFactoryAction(replacementMainScript, replacementLoadedScripts, execution.isSandbox()));
actions.add(new CauseAction(new Cause.UserIdCause(), new ReplayCause(run)));

if (hasPasswordParameter(this.run)) {
throw new Failure("Replay is not allowed when password parameters are used.");
}

for (Class<? extends Action> c : COPIED_ACTIONS) {
actions.addAll(run.getActions(c));
}
return ParameterizedJobMixIn.scheduleBuild2(run.getParent(), 0, actions.toArray(new Action[actions.size()]));
}

private boolean hasPasswordParameter(Run run) {
ParametersAction pa = run.getAction(ParametersAction.class);
return pa != null && pa.getParameters().stream().anyMatch(PasswordParameterValue.class::isInstance);
}

/**
* Finds a set of Groovy class names which are eligible for replacement.
* @param execution the associated execution
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,12 @@
import hudson.cli.CLICommandInvoker;
import hudson.init.InitMilestone;
import hudson.init.Initializer;
import hudson.model.Failure;
import hudson.model.Item;
import hudson.model.ParametersAction;
import hudson.model.ParametersDefinitionProperty;
import hudson.model.PasswordParameterDefinition;
import hudson.model.PasswordParameterValue;
import hudson.model.Run;
import hudson.model.StringParameterDefinition;
import hudson.model.StringParameterValue;
Expand Down Expand Up @@ -135,6 +138,21 @@ public class ReplayActionTest {
});
}

@Issue("SECURITY-2443")
@Test public void withPasswordParameter() {
story.then(r -> {
WorkflowJob p = story.j.jenkins.createProject(WorkflowJob.class, "p");
p.addProperty(new ParametersDefinitionProperty(new PasswordParameterDefinition("passwordParam", "top secret", "")));
p.setDefinition(new CpsFlowDefinition("echo(/passwordParam: ${passwordParam}/)", true));
WorkflowRun run1 = story.j.assertBuildStatusSuccess(p.scheduleBuild2(0,
new ParametersAction(new PasswordParameterValue("passwordParam", "confidential"))));

// When we replay a build with password parameter it should fail with access denied exception.
assertThrows(Failure.class,
() -> run1.getAction(ReplayAction.class).run("echo(/Replaying passwordParam: ${passwordParam}/)", Collections.emptyMap()).get());
});
}

@Issue("JENKINS-50784")
@Test public void lazyLoadExecutionStillReplayable() throws Exception {
story.then( r-> {
Expand Down

0 comments on commit 886676e

Please sign in to comment.