•  
      request #14616 Wrong containment on job/build referencing
    Infos
    #14616
    Aurélien Tisné (atisne)
    2020-03-12 14:11
    2020-03-02 12:14
    15721
    Details
    Wrong containment on job/build referencing
    A user can see a job (or a build) of a project whose he is not member of.

    Let's assume the job 'develop' has been declared on a projet P2.
    As a member of a projet P1 (and not P2), if I create a reference 'job #develop' inside an artefact, the system build a link on its job. If I click on this link, the page (action=view_job) display the URL of the job.

    I should not see this page since I'm not member of this project.

    This issue is especially critic in the (usual) case the URL contains jenkins personal credential (http://username:privatecredential@server.ic:8090/job/develop).
    Continuous Integration
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Manuel Vacelet (vaceletm)
    Closed
    2020-03-12
    Attachments
    Empty
    References

    Follow-ups

    • User avatar
      Thomas Gerbet (tgerbet)2020-03-12 14:11
      gerrit #18212 integrated integrated into Tuleap 11.12.99.87.


      Thanks for the contirbution @gbonnefille.

      • Status changed from New to Closed
      • Connected artifacts
      • Close date set to 2020-03-12
    • User avatar
    • User avatar
      I think there is effectively a bug in the code:

      The function definition to search a job uses a single argument:
      function searchByJobName($job_name)

      While callers pass the group_id:
      $dar = $job_dao->searchByJobName($job_name, $group_id);
    • User avatar
      Thomas Gerbet (tgerbet)2020-03-11 10:24
      Hello,

      On a complementary note, the fact you need to be authenticated on the Jenkins instance to get access to the API is known (see request #11456). The cleanest way to work around that would be that each Tuleap user wanting to get access to the information delegates accesses to the Jenkins instance but AFAIK there is no such built in mechanism in Jenkins.

      That's being said to avoid any misuses Tuleap should probably prevent user to pass user information directly in the URL.
    • User avatar

      When the user click on the reference link. The link points to the Continuous Integration page ; something like this https://tuleap.fr/plugins/hudson/?group_id=102&action=view_job&job=Build_SVN_Tuleap. This page display the "List of items referenced by or referencing this item." followed by the full URL of the job.

      The continuous integration service is only displayed to the project members. So in that case it won't be displayed.

      And, in any case, if the security matters here you should not have username/passwords in the URLs (plus should be in https otherwise consider those creds are leaked and doomed).

    • User avatar
      > For reference security issues should be reported as such: https://www.tuleap.org/security/
      Sorry, I wasn't aware of this page. Noted.

      > While I confirm about the behaviour about the job between project, at which moment the URL (with or without the password) is leaked to the user ?
      When the user click on the reference link. The link points to the Continuous Integration page ; something like this https://tuleap.fr/plugins/hudson/?group_id=102&action=view_job&job=Build_SVN_Tuleap. This page display the "List of items referenced by or referencing this item." followed by the full URL of the job.
    • User avatar

      For reference security issues should be reported as such: https://www.tuleap.org/security/

      While I confirm about the behaviour about the job between project, at which moment the URL (with or without the password) is leaked to the user ?


      • Assigned to changed from None to Manuel Vacelet (vaceletm)
    • User avatar
      This issue is a potential security hole. It should be considered as critic.