-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes for Security check #98
Conversation
Changes for Security check
@@ -2738,7 +2773,7 @@ public ListBoxModel doFillPresetItems(@QueryParameter final boolean useOwnServer | |||
@QueryParameter final String username, @QueryParameter final String password, | |||
@QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
@QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if(item==null){ | |
return FormValidation.ok(); | |
}else { | |
item.checkPermission(Item.CONFIGURE); | |
} |
Please, always check if the context is no null to avoid any error.
@@ -2774,7 +2809,7 @@ public ListBoxModel doFillPresetItems(@QueryParameter final boolean useOwnServer | |||
*/ | |||
@POST | |||
public FormValidation doCheckFullScanCycle(@QueryParameter final int value) { | |||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
@@ -2787,7 +2822,7 @@ public ListBoxModel doFillSourceEncodingItems(@QueryParameter final boolean useO | |||
@QueryParameter final String username, @QueryParameter final String password, | |||
@QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
@QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
@@ -2827,7 +2862,7 @@ public ListBoxModel doFillGroupIdItems(@QueryParameter final boolean useOwnServe | |||
@QueryParameter final String username, @QueryParameter final String password, | |||
@QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
@QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
public ListBoxModel doFillFailBuildOnNewSeverityItems() { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public ListBoxModel doFillFailBuildOnNewSeverityItems(@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
public FormValidation doCheckLowThreshold(@QueryParameter final Integer value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckLowThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
public FormValidation doCheckOsaHighThreshold(@QueryParameter final Integer value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckOsaHighThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
public FormValidation doCheckOsaMediumThreshold(@QueryParameter final Integer value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckOsaMediumThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
public FormValidation doCheckOsaLowThreshold(@QueryParameter final Integer value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckOsaLowThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
@@ -2305,7 +2305,6 @@ public final void setHideDebugLogs(boolean hideDebugLogs) { | |||
@POST | |||
public FormValidation doCheckScanTimeoutDuration(@QueryParameter final Integer value) { | |||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're still checking the global Configure
permission for this one, please add the @AncestorInPath
annotation and check on the current context.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This field is on the global configuration page only. Do we have to add the context check ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added the @AncestorInPath annotation and Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad on this one, I didn't check for the moment where they're called, but yeah, field called on global configuration page, only need Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
.
No need for @AncestorInPath
annotation or Item.Configure permission
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, don't forget to push your commit, otherwise I can't review you changes 😄
Also you're calling |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to check if the context is not null
public FormValidation doCheckScaSASTProjectID(@QueryParameter String value, @QueryParameter String scaSASTProjectFullPath) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckScaSASTProjectID(@QueryParameter String value, @QueryParameter String scaSASTProjectFullPath,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
public FormValidation doCheckCustomFields(@QueryParameter String value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckCustomFields(@QueryParameter String value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Kevin-CB , are you saying for all job level parameters , we need to add the context check like we have added for all common parameters? But when we debugged the code for job level parameters the item is never coming as null it has value either a FreeStyleJobProject or PipelineJobProject.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @SubhadraSahoo, indeed to avoid any exception, we prefer that the case of a null context is always taken into account.
Because all web methods can be called from various Item.
Take for example this web method doCheckCustomFields
, it can be called by its path: descriptorByName/com.checkmarx.jenkins.CxScanBuilder/checkCustomFields
.
eg:
[JENKINS_INSTANCE]/descriptorByName/com.checkmarx.jenkins.CxScanBuilder/checkCustomFields
(context is null) or
[JENKINS_INSTANCE]/job/[JOB_NAME]descriptorByName/com.checkmarx.jenkins.CxScanBuilder/checkCustomFields
(the job is your context)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Kevin-CB Two questions.
- Isn't it an issue that Jenkins allowing access to doCheckCustomFields method via descriptor, when the function is only for the Job level field and there is no field by that name on the descriptor (global)?
- Why an null pointer exception a concern for the security issue we are trying to fix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @umeshwaghode,
-
No this is not a issue, it's used for many features, it's just necessary to implement the right permission checks when using them.
-
We're just trying to spread the best practices to prevent bad ones from spreading throughout the ecosystem. Many maintainers copy already existing code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"It is used in many features" does not explain how a different path should gives access to a function that is not meant for that path. I find that odd.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's how Jenkins (in conjunction with Stapler) is designed. Multiple URLs route to descriptor lists, as they may need to be available in multiple places. Even your build step's descriptor may offer global configuration options (through global.jelly
) with related form validation, so not having the descriptor available at a global level would be a problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Daniel for clarifying this further. We will be making suggested changes as without those I do not see we getting this PR approved. But to clarify, all these places where (item == null) check is suggested in review comments, exist only on job and we have no intention to expose those in global.jelly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Kevin-CB , Hi Can you please remove the security warning from the Jenkins checkmarx plugin. The latest plugin 2022.2.3 is now published in the market place. Please let us know if anything else we need to do.
public FormValidation doCheckForceScan(@QueryParameter boolean value, @QueryParameter boolean incremental) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckForceScan(@QueryParameter boolean value, @QueryParameter boolean incremental,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
public FormValidation doCheckIncremental(@QueryParameter boolean value, @QueryParameter boolean forceScan) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckIncremental(@QueryParameter boolean value, @QueryParameter boolean forceScan,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
@@ -2651,7 +2662,7 @@ public ListBoxModel doFillPostScanActionIdItems(@QueryParameter final boolean us | |||
@QueryParameter final String username, @QueryParameter final String password, | |||
@QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
@QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
public FormValidation doCheckLowThreshold(@QueryParameter final Integer value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckLowThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
public FormValidation doCheckOsaHighThreshold(@QueryParameter final Integer value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckOsaHighThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
public FormValidation doCheckOsaMediumThreshold(@QueryParameter final Integer value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckOsaMediumThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
public FormValidation doCheckOsaLowThreshold(@QueryParameter final Integer value) { | ||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
public FormValidation doCheckOsaLowThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
@@ -2787,7 +2798,7 @@ public ListBoxModel doFillSourceEncodingItems(@QueryParameter final boolean useO | |||
@QueryParameter final String username, @QueryParameter final String password, | |||
@QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
@QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
item.checkPermission(Item.CONFIGURE); | |
if (item == null) { | |
return FormValidation.ok(); | |
} | |
item.checkPermission(Item.CONFIGURE); |
… check for job level parameters also.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested your fix locally and everything seems OK.
You can release it and we'll remove the warning.
@Kevin-CB , Thank you Kevin . |
…jenkinsci/checkmarx-plugin into Jenkins_Security_Checks" This reverts commit 7fda164, reversing changes made to c23cf37.
Changes for version upgrade
* Add validation for descriptor.getDependencyScanConfig()!= null * Add print of SCa info Co-authored-by: Margarital <maragrita.levitm@checkmarx.com>
Version Increment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
@Kevin-CB
We have observed
There few methods which are only for Global for which we have added a check :- Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
There are few methods for only job level validation for which we have added a check with @AncestorInPath annotation :-
if(item==null)
{
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
}else {
item.checkPermission(Item.CONFIGURE);
}
There are few methods which is common for global and job level so for that we have added check with @AncestorInPath :-
if(item==null)
{
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
}else {
item.checkPermission(Item.CONFIGURE);
}
As per your documentation we have added these checks so please review these changes