Remove IP address from DefaultCrumbIssuer (#25918)

Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>
Co-authored-by: Mark Waite <mark.earl.waite@gmail.com>

Author: daniel-beck

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java

@@ -10,10 +10,13 @@
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.Util;
+import hudson.model.AdministrativeMonitor;
 import hudson.model.ModelObject;
 import hudson.model.PersistentDescriptor;
+import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.http.HttpServletRequest;
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -27,29 +30,56 @@
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest2;
+import org.kohsuke.stapler.StaplerResponse2;
+import org.kohsuke.stapler.verb.POST;
 import org.springframework.security.core.Authentication;
 
 /**
- * A crumb issuing algorithm based on the request principal and the remote address.
+ * A crumb issuing algorithm based on the request principal and the session ID.
  *
  * @author dty
  */
 public class DefaultCrumbIssuer extends CrumbIssuer {
 
     private transient MessageDigest md;
-    private boolean excludeClientIPFromCrumb;
+    private transient boolean excludeClientIPFromCrumb;
 
     @Restricted(NoExternalUse.class)
     @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
     public static /* non-final: Groovy Console */ boolean EXCLUDE_SESSION_ID = SystemProperties.getBoolean(DefaultCrumbIssuer.class.getName() + ".EXCLUDE_SESSION_ID");
 
     @DataBoundConstructor
+    public DefaultCrumbIssuer() {
+        initializeMessageDigest();
+        logSessionIdWarningIfNeeded();
+    }
+
+    /**
+     * @param excludeClientIPFromCrumb unused
+     * @deprecated Use {@link #DefaultCrumbIssuer()} instead.
+     */
+    @Deprecated
     public DefaultCrumbIssuer(boolean excludeClientIPFromCrumb) {
+        this();
         this.excludeClientIPFromCrumb = excludeClientIPFromCrumb;
-        initializeMessageDigest();
+        logSessionIdWarningIfNeeded();
     }
 
+    private void logSessionIdWarningIfNeeded() {
+        if (EXCLUDE_SESSION_ID) {
+            LOGGER.warning("Jenkins no longer uses the client IP address as part of CSRF protection. " +
+                    "This controller is configured to also not use the session ID (hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID), which is even less safe now. " +
+                    "This option will be removed in future releases.");
+        }
+    }
+
+    /**
+     * @return the previously set value
+     * @deprecated This setting is no longer effective.
+     */
+    @Deprecated
     public boolean isExcludeClientIPFromCrumb() {
         return this.excludeClientIPFromCrumb;
     }
@@ -77,10 +107,6 @@ protected synchronized String issueCrumb(ServletRequest request, String salt) {
                 StringBuilder buffer = new StringBuilder();
                 Authentication a = Jenkins.getAuthentication2();
                 buffer.append(a.getName());
-                buffer.append(';');
-                if (!isExcludeClientIPFromCrumb()) {
-                    buffer.append(getClientIP(req));
-                }
                 if (!EXCLUDE_SESSION_ID) {
                     buffer.append(';');
                     buffer.append(req.getSession().getId());
@@ -106,20 +132,6 @@ public boolean validateCrumb(ServletRequest request, String salt, String crumb)
         return false;
     }
 
-    private static final String X_FORWARDED_FOR = "X-Forwarded-For";
-
-    private String getClientIP(HttpServletRequest req) {
-        String defaultAddress = req.getRemoteAddr();
-        String forwarded = req.getHeader(X_FORWARDED_FOR);
-        if (forwarded != null) {
-            String[] hopList = forwarded.split(",");
-            if (hopList.length >= 1) {
-                return hopList[0];
-            }
-        }
-        return defaultAddress;
-    }
-
     @Extension @Symbol("standard")
     public static final class DescriptorImpl extends CrumbIssuerDescriptor<DefaultCrumbIssuer> implements ModelObject, PersistentDescriptor {
 
@@ -146,5 +158,41 @@ public DefaultCrumbIssuer newInstance(StaplerRequest2 req, JSONObject formData)
         }
     }
 
+    @Extension
+    @Restricted(NoExternalUse.class)
+    public static class ExcludeSessionIdAdministrativeMonitor extends AdministrativeMonitor {
+
+        @Override
+        public boolean isActivated() {
+            final CrumbIssuer crumbIssuer = Jenkins.get().getCrumbIssuer();
+            if (crumbIssuer instanceof DefaultCrumbIssuer) {
+                return EXCLUDE_SESSION_ID;
+            }
+            return false;
+        }
+
+        @Override
+        public boolean isSecurity() {
+            return true;
+        }
+
+        @Override
+        public String getDisplayName() {
+            return "Warn when session ID is excluded from Default Crumb Issuer"; // TODO i18n
+        }
+
+        @POST
+        public void doAct(StaplerRequest2 req, StaplerResponse2 rsp, @QueryParameter String learn, @QueryParameter String dismiss) throws IOException, ServletException {
+            if (learn != null) {
+                rsp.sendRedirect("https://www.jenkins.io/redirect/csrf-protection/");
+                return;
+            }
+            if (dismiss != null) {
+                disable(true);
+            }
+            rsp.forwardToPreviousPage(req);
+        }
+    }
+
     private static final Logger LOGGER = Logger.getLogger(DefaultCrumbIssuer.class.getName());
 }

core/src/main/java/hudson/security/csrf/GlobalCrumbIssuerConfiguration.java

@@ -73,7 +73,7 @@ public static CrumbIssuer createDefaultCrumbIssuer() {
         if (DISABLE_CSRF_PROTECTION) {
             return null;
         }
-        return new DefaultCrumbIssuer(SystemProperties.getBoolean(Jenkins.class.getName() + ".crumbIssuerProxyCompatibility", false));
+        return new DefaultCrumbIssuer();
     }
 
     @Restricted(NoExternalUse.class)

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/ExcludeSessionIdAdministrativeMonitor/description.jelly

@@ -0,0 +1,28 @@
+<!--
+The MIT License
+
+Copyright (c) 2025, CloudBees, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core">
+    ${%blurb}
+</j:jelly>

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/ExcludeSessionIdAdministrativeMonitor/description.properties

@@ -0,0 +1,2 @@
+blurb = This administrative monitor alerts when the Default Crumb Issuer is configured to exclude session IDs from CSRF protection. \
+  Jenkins no longer includes the IP address in the CSRF crumb generation, so removing the session ID from the CSRF protection weakens security considerably.

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/ExcludeSessionIdAdministrativeMonitor/message.jelly

@@ -0,0 +1,34 @@
+<!--
+The MIT License
+
+Copyright (c) 2025, CloudBees, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
+  <div class="jenkins-alert jenkins-alert-warning">
+    <form method="post" action="${rootURL}/${it.url}/act" name="${it.id}">
+      <f:submit name="learn" value="${%Learn more}"/>
+      <f:submit name="dismiss" value="${%Dismiss}"/>
+    </form>
+    ${%blurb}
+  </div>
+</j:jelly>

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/ExcludeSessionIdAdministrativeMonitor/message.properties

@@ -0,0 +1,4 @@
+blurb = Jenkins no longer includes the IP address in the CSRF crumb generation and verification. \
+  However, the flag <code>hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID</code> is set in this controller. \
+  As a result, there is currently no part of the CSRF crumb that is unique to a user session. \
+  It is strongly recommended to unset this flag, to ensure that CSRF protection remains effective.

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly

@@ -1,6 +1,3 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-    <f:entry field="excludeClientIPFromCrumb">
-        <f:checkbox checked="${instance.isExcludeClientIPFromCrumb()}" title="${%Enable proxy compatibility}" />
-    </f:entry>
 </j:jelly>