@daniel-beck requests a kill switch for ConsoleNote.MAC.

1ce5df04 · Jesse Glick · 0e3f66f5 · 1ce5df04 · 1ce5df04
2 changed file
--- a/core/src/main/java/hudson/console/ConsoleNote.java
+++ b/core/src/main/java/hudson/console/ConsoleNote.java
@@ -123,6 +123,12 @@ import jenkins.security.HMACConfidentialKey;
 public abstract class ConsoleNote<T> implements Serializable, Describable<ConsoleNote<?>>, ExtensionPoint {

    private static final HMACConfidentialKey MAC = new HMACConfidentialKey(ConsoleNote.class, "MAC");
+    /**
+     * Allows historical build records with unsigned console notes to be displayed, at the expense of any security.
+     * Disables checking of {@link #MAC} so do not set this flag unless you completely trust all users capable of affecting build output,
+     * which in practice means that all SCM committers as well as all Jenkins users with any non-read-only access are consider administrators.
+     */
+    static /* nonfinal for tests & script console */ boolean LENIENT_MAC = Boolean.getBoolean(ConsoleNote.class.getName() + ".LENIENT_MAC"); // TODO 2.x use SystemProperties

    /**
     * When the line of a console output that this annotation is attached is read by someone,
@@ -240,7 +246,9 @@ public abstract class ConsoleNote<T> implements Serializable, Describable<Consol
                return null;    // not a valid postamble

            if (mac == null) {
-                throw new IOException("Refusing to deserialize unsigned note from an old log.");
+                if (!LENIENT_MAC) {
+                    throw new IOException("Refusing to deserialize unsigned note from an old log.");
+                }
            } else if (!MAC.checkMac(buf, mac)) {
                throw new IOException("MAC mismatch");
            }

--- a/core/src/test/java/hudson/console/AnnotatedLargeTextTest.java
+++ b/core/src/test/java/hudson/console/AnnotatedLargeTextTest.java
@@ -31,8 +31,9 @@ import java.io.PrintStream;
 import java.io.StringWriter;
 import jenkins.security.ConfidentialStoreRule;
 import org.apache.commons.io.Charsets;
-import org.junit.Test;
+import static org.hamcrest.CoreMatchers.*;
 import static org.junit.Assert.*;
+import org.junit.Test;
 import org.junit.Rule;
 import org.jvnet.hudson.test.For;
 import org.jvnet.hudson.test.Issue;
@@ -78,6 +79,14 @@ public class AnnotatedLargeTextTest {
        text.writeHtmlTo(0, w);
        assertEquals("hellothere\n", w.toString());
        // TODO expect log record with message "Failed to resurrect annotation" and IOException with message "Refusing to deserialize unsigned note from an old log."
+        ConsoleNote.LENIENT_MAC = true;
+        try {
+            w = new StringWriter();
+            text.writeHtmlTo(0, w);
+            assertThat(w.toString(), containsString("<script>"));
+        } finally {
+            ConsoleNote.LENIENT_MAC = false;
+        }
    }

    @Issue("SECURITY-382")