Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #14616 Wrong containment on job/build referencing
    Actions
    Infos
    #14616
    Aurélien Tisné (atisne)
    2020-03-12 14:11
    2020-03-02 12:14
    15862
    Details
    Wrong containment on job/build referencing
    A user can see a job (or a build) of a project whose he is not member of.

    Let's assume the job 'develop' has been declared on a projet P2.
    As a member of a projet P1 (and not P2), if I create a reference 'job #develop' inside an artefact, the system build a link on its job. If I click on this link, the page (action=view_job) display the URL of the job.

    I should not see this page since I'm not member of this project.

    This issue is especially critic in the (usual) case the URL contains jenkins personal credential (http://username:privatecredential@server.ic:8090/job/develop).
    Continuous Integration
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Manuel Vacelet (vaceletm)
    Closed
    2020-03-12
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #14270 Tuleap Releases 11.13 Delivered 2020-04-03 14:31 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #14616

    Git commit

    tuleap/tuleap/stable

    Merge 'gerrit #18225' into stable/master 90f1c24d73
    User avatar Thomas Gerbet (tgerbet) , 2020-03-12 14:09
    Fix request #14616 c656c85eb5
    User avatar Guilhem Bonnefille (CS) (gbonnefille) , 2020-03-12 12:07
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2020-03-12 14:11
    gerrit #18212 integrated integrated into Tuleap 11.12.99.87.


    Thanks for the contirbution @gbonnefille.
    • Status changed from New to Closed
    • Connected artifacts
    • Close date set to 2020-03-12
    User avatar
    Guilhem Bonnefille (CS) (gbonnefille)2020-03-11 12:05
    I think there is effectively a bug in the code:

    The function definition to search a job uses a single argument:
    function searchByJobName($job_name)

    While callers pass the group_id:
    $dar = $job_dao->searchByJobName($job_name, $group_id);
    User avatar
    Thomas Gerbet (tgerbet)2020-03-11 10:24
    Hello,

    On a complementary note, the fact you need to be authenticated on the Jenkins instance to get access to the API is known (see request #11456). The cleanest way to work around that would be that each Tuleap user wanting to get access to the information delegates accesses to the Jenkins instance but AFAIK there is no such built in mechanism in Jenkins.

    That's being said to avoid any misuses Tuleap should probably prevent user to pass user information directly in the URL.
    User avatar
    Manuel Vacelet (vaceletm)2020-03-11 09:45

    When the user click on the reference link. The link points to the Continuous Integration page ; something like this https://tuleap.fr/plugins/hudson/?group_id=102&action=view_job&job=Build_SVN_Tuleap. This page display the "List of items referenced by or referencing this item." followed by the full URL of the job.

    The continuous integration service is only displayed to the project members. So in that case it won't be displayed.

    And, in any case, if the security matters here you should not have username/passwords in the URLs (plus should be in https otherwise consider those creds are leaked and doomed).

    User avatar
    Aurélien Tisné (atisne)2020-03-11 09:32
    > For reference security issues should be reported as such: https://www.tuleap.org/security/
    Sorry, I wasn't aware of this page. Noted.

    > While I confirm about the behaviour about the job between project, at which moment the URL (with or without the password) is leaked to the user ?
    When the user click on the reference link. The link points to the Continuous Integration page ; something like this https://tuleap.fr/plugins/hudson/?group_id=102&action=view_job&job=Build_SVN_Tuleap. This page display the "List of items referenced by or referencing this item." followed by the full URL of the job.
    User avatar
    Manuel Vacelet (vaceletm)2020-03-10 17:39

    For reference security issues should be reported as such: https://www.tuleap.org/security/

    While I confirm about the behaviour about the job between project, at which moment the URL (with or without the password) is leaked to the user ?

    • Assigned to changed from None to Manuel Vacelet (vaceletm)