[SECURITY-266] Conceal ciphertext from the web UI for a user who has no Item.CONFIGURE permission.

82b42359 · Jesse Glick · d6bcfdac · 82b42359 · 82b42359 · 82b42359
3 changed file
--- a/core/src/main/java/hudson/Functions.java
+++ b/core/src/main/java/hudson/Functions.java
@@ -1715,7 +1715,16 @@ public class Functions {
     */
    public String getPasswordValue(Object o) {
        if (o==null)    return null;
-        if (o instanceof Secret)    return ((Secret)o).getEncryptedValue();
+        if (o instanceof Secret) {
+            StaplerRequest req = Stapler.getCurrentRequest();
+            if (req != null) {
+                Item item = req.findAncestorObject(Item.class);
+                if (item != null && !item.hasPermission(Item.CONFIGURE)) {
+                    return "<some secret>";
+                }
+            }
+            return ((Secret) o).getEncryptedValue();
+        }
        if (getIsUnitTest()) {
            throw new SecurityException("attempted to render plaintext ‘" + o + "’ in password field; use a getter of type Secret instead");
        }

--- a/test/src/test/java/lib/form/PasswordTest.java
+++ b/test/src/test/java/lib/form/PasswordTest.java
@@ -28,8 +28,20 @@ import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import hudson.Extension;
 import hudson.model.Describable;
 import hudson.model.Descriptor;
+import hudson.model.FreeStyleProject;
+import hudson.model.Item;
+import hudson.model.JobProperty;
+import hudson.model.JobPropertyDescriptor;
+import hudson.security.GlobalMatrixAuthorizationStrategy;
 import hudson.util.Secret;
+import jenkins.model.Jenkins;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+import static org.junit.Assert.assertThat;
 import org.jvnet.hudson.test.HudsonTestCase;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.TestExtension;
+import org.kohsuke.stapler.DataBoundConstructor;

 /**
 * @author Kohsuke Kawaguchi
@@ -55,4 +67,51 @@ public class PasswordTest extends HudsonTestCase implements Describable<Password
            return null;
        }
    }
+
+    @Issue("SECURITY-266")
+    public void testExposedCiphertext() throws Exception {
+        boolean saveEnabled = Item.EXTENDED_READ.getEnabled();
+        try {
+            jenkins.setSecurityRealm(createDummySecurityRealm());
+            // TODO 1.645+ use MockAuthorizationStrategy
+            GlobalMatrixAuthorizationStrategy pmas = new GlobalMatrixAuthorizationStrategy();
+            pmas.add(Jenkins.ADMINISTER, "admin");
+            pmas.add(Jenkins.READ, "dev");
+            pmas.add(Item.READ, "dev");
+            Item.EXTENDED_READ.setEnabled(true);
+            pmas.add(Item.EXTENDED_READ, "dev");
+            jenkins.setAuthorizationStrategy(pmas);
+            Secret secret = Secret.fromString("s3cr3t");
+            FreeStyleProject p = createFreeStyleProject("p");
+            p.addProperty(new VulnerableProperty(secret));
+            WebClient wc = createWebClient();
+            wc.login("admin");
+            HtmlPage configure = wc.getPage(p, "configure");
+            assertThat(configure.getWebResponse().getContentAsString(), containsString(secret.getEncryptedValue()));
+            submit(configure.getFormByName("config"));
+            VulnerableProperty vp = p.getProperty(VulnerableProperty.class);
+            assertNotNull(vp);
+            assertEquals(secret, vp.secret);
+            wc.login("dev");
+            configure = wc.getPage(p, "configure");
+            assertThat(configure.getWebResponse().getContentAsString(), not(containsString(secret.getEncryptedValue())));
+        } finally {
+            Item.EXTENDED_READ.setEnabled(saveEnabled);
+        }
+    }
+    public static class VulnerableProperty extends JobProperty<FreeStyleProject> {
+        public final Secret secret;
+        @DataBoundConstructor
+        public VulnerableProperty(Secret secret) {
+            this.secret = secret;
+        }
+        @TestExtension("testExposedCiphertext")
+        public static class DescriptorImpl extends JobPropertyDescriptor {
+            @Override // TODO delete in 1.635+
+            public String getDisplayName() {
+                return "VulnerableProperty";
+            }
+        }
+    }
+
 }
--- a/test/src/test/resources/lib/form/PasswordTest/VulnerableProperty/config.jelly
+++ b/test/src/test/resources/lib/form/PasswordTest/VulnerableProperty/config.jelly
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+The MIT License
+
+Copyright 2016 CloudBees, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
+    <f:entry field="secret" title="secret">
+        <f:password/>
+    </f:entry>
+</j:jelly>