jenkins_api_client icon indicating copy to clipboard operation
jenkins_api_client copied to clipboard

Published 20 hours ago verified publisher icon arangamani

Security: OpenSSL::SSL::VERIFY_NONE and some http-only requests

Open rmoriz opened this issue 7 years ago • 1 comments

  • Currently all https/TLS requests are vulnerable to MITM.

    See:

    https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L311-L314

    https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L270-L274

    Suggestion: Change default to verify, allow users who are unable to fix their trust root to set an option to disable verification.

  • exec_cli is hard-coded to http:

    https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L617-L619

  • update center request is not made over https, too.

    https://github.com/arangamani/jenkins_api_client/blob/b9a5e5d4ffc0e9240fd3a3d1ff6caeccc611ba92/lib/jenkins_api_client/client.rb#L490-L493

rmoriz avatar Oct 28 '17 22:10 rmoriz

see #204

rmoriz avatar Oct 30 '17 17:10 rmoriz