Changes for Security check #98
Conversation
Changes for Security check
sangamchitmugre
requested review from
daniel-beck,
Wadeck,
Kevin-CB and
umeshwaghode
| @@ -2738,7 +2773,7 @@ public ListBoxModel doFillPresetItems(@QueryParameter final boolean useOwnServer | |||
| @QueryParameter final String username, @QueryParameter final String password, | |||
| @QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
| @QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
| item.checkPermission(Item.CONFIGURE); | |||
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if(item==null){ | |
| return FormValidation.ok(); | |
| }else { | |
| item.checkPermission(Item.CONFIGURE); | |
| } |
Please, always check if the context is no null to avoid any error.
| @@ -2774,7 +2809,7 @@ public ListBoxModel doFillPresetItems(@QueryParameter final boolean useOwnServer | |||
| */ | |||
| @POST | |||
| public FormValidation doCheckFullScanCycle(@QueryParameter final int value) { | |||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
| item.checkPermission(Item.CONFIGURE); | |||
| @@ -2787,7 +2822,7 @@ public ListBoxModel doFillSourceEncodingItems(@QueryParameter final boolean useO | |||
| @QueryParameter final String username, @QueryParameter final String password, | |||
| @QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
| @QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
| item.checkPermission(Item.CONFIGURE); | |||
| @@ -2827,7 +2862,7 @@ public ListBoxModel doFillGroupIdItems(@QueryParameter final boolean useOwnServe | |||
| @QueryParameter final String username, @QueryParameter final String password, | |||
| @QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
| @QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
| item.checkPermission(Item.CONFIGURE); | |||
| public ListBoxModel doFillFailBuildOnNewSeverityItems() { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public ListBoxModel doFillFailBuildOnNewSeverityItems(@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
| public FormValidation doCheckLowThreshold(@QueryParameter final Integer value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckLowThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
| public FormValidation doCheckOsaHighThreshold(@QueryParameter final Integer value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckOsaHighThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
| public FormValidation doCheckOsaMediumThreshold(@QueryParameter final Integer value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckOsaMediumThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
| public FormValidation doCheckOsaLowThreshold(@QueryParameter final Integer value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckOsaLowThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
| @@ -2305,7 +2305,6 @@ public final void setHideDebugLogs(boolean hideDebugLogs) { | |||
| @POST | |||
| public FormValidation doCheckScanTimeoutDuration(@QueryParameter final Integer value) { | |||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
There was a problem hiding this comment.
You're still checking the global Configure permission for this one, please add the @AncestorInPath annotation and check on the current context.
There was a problem hiding this comment.
This field is on the global configuration page only. Do we have to add the context check ?
There was a problem hiding this comment.
I have added the @AncestorInPath annotation and Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
There was a problem hiding this comment.
My bad on this one, I didn't check for the moment where they're called, but yeah, field called on global configuration page, only need Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);.
No need for @AncestorInPath annotation or Item.Configure permission
There was a problem hiding this comment.
Also, don't forget to push your commit, otherwise I can't review you changes 😄
|
Also you're calling |
| public FormValidation doCheckScaSASTProjectID(@QueryParameter String value, @QueryParameter String scaSASTProjectFullPath) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckScaSASTProjectID(@QueryParameter String value, @QueryParameter String scaSASTProjectFullPath,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
| public FormValidation doCheckCustomFields(@QueryParameter String value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckCustomFields(@QueryParameter String value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
There was a problem hiding this comment.
@Kevin-CB , are you saying for all job level parameters , we need to add the context check like we have added for all common parameters? But when we debugged the code for job level parameters the item is never coming as null it has value either a FreeStyleJobProject or PipelineJobProject.
There was a problem hiding this comment.
Hello @SubhadraSahoo, indeed to avoid any exception, we prefer that the case of a null context is always taken into account.
Because all web methods can be called from various Item.
Take for example this web method doCheckCustomFields, it can be called by its path: descriptorByName/com.checkmarx.jenkins.CxScanBuilder/checkCustomFields.
eg:
[JENKINS_INSTANCE]/descriptorByName/com.checkmarx.jenkins.CxScanBuilder/checkCustomFields (context is null) or
[JENKINS_INSTANCE]/job/[JOB_NAME]descriptorByName/com.checkmarx.jenkins.CxScanBuilder/checkCustomFields (the job is your context)
There was a problem hiding this comment.
@Kevin-CB Two questions.
- Isn't it an issue that Jenkins allowing access to doCheckCustomFields method via descriptor, when the function is only for the Job level field and there is no field by that name on the descriptor (global)?
- Why an null pointer exception a concern for the security issue we are trying to fix?
There was a problem hiding this comment.
Hello @umeshwaghode,
-
No this is not a issue, it's used for many features, it's just necessary to implement the right permission checks when using them.
-
We're just trying to spread the best practices to prevent bad ones from spreading throughout the ecosystem. Many maintainers copy already existing code.
There was a problem hiding this comment.
"It is used in many features" does not explain how a different path should gives access to a function that is not meant for that path. I find that odd.
There was a problem hiding this comment.
That's how Jenkins (in conjunction with Stapler) is designed. Multiple URLs route to descriptor lists, as they may need to be available in multiple places. Even your build step's descriptor may offer global configuration options (through global.jelly) with related form validation, so not having the descriptor available at a global level would be a problem.
There was a problem hiding this comment.
Thanks Daniel for clarifying this further. We will be making suggested changes as without those I do not see we getting this PR approved. But to clarify, all these places where (item == null) check is suggested in review comments, exist only on job and we have no intention to expose those in global.jelly.
There was a problem hiding this comment.
@Kevin-CB , Hi Can you please remove the security warning from the Jenkins checkmarx plugin. The latest plugin 2022.2.3 is now published in the market place. Please let us know if anything else we need to do.
| public FormValidation doCheckForceScan(@QueryParameter boolean value, @QueryParameter boolean incremental) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckForceScan(@QueryParameter boolean value, @QueryParameter boolean incremental,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
| public FormValidation doCheckIncremental(@QueryParameter boolean value, @QueryParameter boolean forceScan) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckIncremental(@QueryParameter boolean value, @QueryParameter boolean forceScan,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
| @@ -2651,7 +2662,7 @@ public ListBoxModel doFillPostScanActionIdItems(@QueryParameter final boolean us | |||
| @QueryParameter final String username, @QueryParameter final String password, | |||
| @QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
| @QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
| item.checkPermission(Item.CONFIGURE); | |||
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
Please check if the context is not null
| public FormValidation doCheckLowThreshold(@QueryParameter final Integer value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckLowThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
| public FormValidation doCheckOsaHighThreshold(@QueryParameter final Integer value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckOsaHighThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
| public FormValidation doCheckOsaMediumThreshold(@QueryParameter final Integer value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckOsaMediumThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
| public FormValidation doCheckOsaLowThreshold(@QueryParameter final Integer value) { | ||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | ||
| public FormValidation doCheckOsaLowThreshold(@QueryParameter final Integer value,@AncestorInPath Item item) { | ||
| item.checkPermission(Item.CONFIGURE); |
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
| @@ -2787,7 +2798,7 @@ public ListBoxModel doFillSourceEncodingItems(@QueryParameter final boolean useO | |||
| @QueryParameter final String username, @QueryParameter final String password, | |||
| @QueryParameter final String timestamp, @QueryParameter final String credentialsId, | |||
| @QueryParameter final boolean isProxy, @AncestorInPath Item item) { | |||
| Jenkins.getInstance().checkPermission(Item.CONFIGURE); | |||
| item.checkPermission(Item.CONFIGURE); | |||
There was a problem hiding this comment.
| item.checkPermission(Item.CONFIGURE); | |
| if (item == null) { | |
| return FormValidation.ok(); | |
| } | |
| item.checkPermission(Item.CONFIGURE); |
… check for job level parameters also.
@Kevin-CB , Thank you Kevin . |
…jenkinsci/checkmarx-plugin into Jenkins_Security_Checks" This reverts commit 7fda164, reversing changes made to c23cf37.
Changes for version upgrade
* Add validation for descriptor.getDependencyScanConfig()!= null * Add print of SCa info Co-authored-by: Margarital <maragrita.levitm@checkmarx.com>
Version Increment
@Kevin-CB
We have observed
There few methods which are only for Global for which we have added a check :- Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
There are few methods for only job level validation for which we have added a check with @AncestorInPath annotation :-
if(item==null)
{
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
}else {
item.checkPermission(Item.CONFIGURE);
}
There are few methods which is common for global and job level so for that we have added check with @AncestorInPath :-
if(item==null)
{
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
}else {
item.checkPermission(Item.CONFIGURE);
}
As per your documentation we have added these checks so please review these changes