configuration-as-code-plugin icon indicating copy to clipboard operation
configuration-as-code-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

WIP - Security Hardening: Guess sensitive attributes by name in addition to API checks

Open oleg-nenashev opened this issue 6 years ago • 4 comments

This is a follow-up to the SECURITY-1279, SECURITY-1458, SECURITY-1497 fixes in JCasC 1.25 and 1.27. Although these fixes provide a decent level of security for attributes where Secret is somehow referenced in plugin APIs, there is still a gap for plugins which do not use Secret API at all. If passwords are stored in plain text (like in plugins references in this advisory) and retrieved as Strings in API, there is nothing JCasC can do about it at the moment. It makes JCasC use-cases impacted by vulnerabilities in other plugins.

This change...

  • [x] Introduces an additional security hardening layer where sensitive AND not encrypted attributes are masked by default in system logs and configuration exports. Secret exports are encrypted, and nothing changes there
  • [x] Adds new API which allow Attributes to indicate that a field is encrypted
  • [x] Fixes a regression in ProxyConfigurator which is caused by the changes. It demonstrates the use of new APIs

Your checklist for this pull request

🚨 Please review the guidelines for contributing to this repository.

  • [x] Make sure you are requesting to pull a topic/feature/bugfix branch (right side) and not your master branch!
  • [x] Ensure that the pull request title represents the desired changelog entry
  • [x] Please describe what you did
  • [x] Link to relevant issues in GitHub or in Jenkins JIRA
  • [x] Link to relevant pull requests, esp. upstream and downstream changes
  • [x] Did you provide a test-case? That demonstrates feature works or fixes the issue.

oleg-nenashev avatar Aug 13 '19 09:08 oleg-nenashev

retriggering CI

oleg-nenashev avatar Aug 16 '19 10:08 oleg-nenashev

Test failure is real

oleg-nenashev avatar Aug 16 '19 15:08 oleg-nenashev

@oleg-nenashev Do you plan to pick this up again? Or shall we close it? I don't remember seeing new issues about this at all

timja avatar Aug 07 '21 14:08 timja

Let's keep it open for now. Need to do a bigger scrub

On Sat, 7 Aug 2021, 16:31 Tim Jacomb, @.***> wrote:

@oleg-nenashev https://github.com/oleg-nenashev Do you plan to pick this up again? Or shall we close it? I don't remember seeing new issues about this at all

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jenkinsci/configuration-as-code-plugin/pull/984#issuecomment-894662231, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAW4RIGFUKJ2GL6PPA7SOFDT3U7VBANCNFSM4ILI4Z6A .

oleg-nenashev avatar Aug 07 '21 17:08 oleg-nenashev