Merge branch 'master' into SECURITY-771/Fix-test-logic

Author: A1exKH

.github/PULL_REQUEST_TEMPLATE.md

@@ -24,6 +24,16 @@ For frontend changes, include screenshots of the relevant page(s) before and aft
 For refactoring and code cleanup changes, exercise the code before and after the change and verify the behavior remains the same.
 -->
 
+### Screenshots (UI changes only)
+
+<!--
+If your change involves a UI change, please include screenshots showing the before and after states.
+-->
+
+#### Before
+
+#### After
+
 ### Proposed changelog entries
 
 - human-readable text

.gitpod/Dockerfile

@@ -1,6 +1,6 @@
 FROM gitpod/workspace-full:latest
 ARG JAVA_VERSION=21.0.6-tem
-ARG MAVEN_VERSION=3.9.11
+ARG MAVEN_VERSION=3.9.12
 # Install Java 21, Maven and GitHub CLI
 RUN bash -c ". /home/gitpod/.sdkman/bin/sdkman-init.sh && \
     sdk install java ${JAVA_VERSION} && \

bom/pom.xml

@@ -326,7 +326,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.ow2.asm</groupId>
         <artifactId>asm</artifactId>
-        <version>9.9</version>
+        <version>9.9.1</version>
       </dependency>
       <dependency>
         <!-- provided by jcl-over-slf4j -->

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java

@@ -10,10 +10,13 @@
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.Util;
+import hudson.model.AdministrativeMonitor;
 import hudson.model.ModelObject;
 import hudson.model.PersistentDescriptor;
+import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.http.HttpServletRequest;
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -27,29 +30,56 @@
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest2;
+import org.kohsuke.stapler.StaplerResponse2;
+import org.kohsuke.stapler.verb.POST;
 import org.springframework.security.core.Authentication;
 
 /**
- * A crumb issuing algorithm based on the request principal and the remote address.
+ * A crumb issuing algorithm based on the request principal and the session ID.
  *
  * @author dty
  */
 public class DefaultCrumbIssuer extends CrumbIssuer {
 
     private transient MessageDigest md;
-    private boolean excludeClientIPFromCrumb;
+    private transient boolean excludeClientIPFromCrumb;
 
     @Restricted(NoExternalUse.class)
     @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
     public static /* non-final: Groovy Console */ boolean EXCLUDE_SESSION_ID = SystemProperties.getBoolean(DefaultCrumbIssuer.class.getName() + ".EXCLUDE_SESSION_ID");
 
     @DataBoundConstructor
+    public DefaultCrumbIssuer() {
+        initializeMessageDigest();
+        logSessionIdWarningIfNeeded();
+    }
+
+    /**
+     * @param excludeClientIPFromCrumb unused
+     * @deprecated Use {@link #DefaultCrumbIssuer()} instead.
+     */
+    @Deprecated
     public DefaultCrumbIssuer(boolean excludeClientIPFromCrumb) {
+        this();
         this.excludeClientIPFromCrumb = excludeClientIPFromCrumb;
-        initializeMessageDigest();
+        logSessionIdWarningIfNeeded();
     }
 
+    private void logSessionIdWarningIfNeeded() {
+        if (EXCLUDE_SESSION_ID) {
+            LOGGER.warning("Jenkins no longer uses the client IP address as part of CSRF protection. " +
+                    "This controller is configured to also not use the session ID (hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID), which is even less safe now. " +
+                    "This option will be removed in future releases.");
+        }
+    }
+
+    /**
+     * @return the previously set value
+     * @deprecated This setting is no longer effective.
+     */
+    @Deprecated
     public boolean isExcludeClientIPFromCrumb() {
         return this.excludeClientIPFromCrumb;
     }
@@ -77,10 +107,6 @@ protected synchronized String issueCrumb(ServletRequest request, String salt) {
                 StringBuilder buffer = new StringBuilder();
                 Authentication a = Jenkins.getAuthentication2();
                 buffer.append(a.getName());
-                buffer.append(';');
-                if (!isExcludeClientIPFromCrumb()) {
-                    buffer.append(getClientIP(req));
-                }
                 if (!EXCLUDE_SESSION_ID) {
                     buffer.append(';');
                     buffer.append(req.getSession().getId());
@@ -106,20 +132,6 @@ public boolean validateCrumb(ServletRequest request, String salt, String crumb)
         return false;
     }
 
-    private static final String X_FORWARDED_FOR = "X-Forwarded-For";
-
-    private String getClientIP(HttpServletRequest req) {
-        String defaultAddress = req.getRemoteAddr();
-        String forwarded = req.getHeader(X_FORWARDED_FOR);
-        if (forwarded != null) {
-            String[] hopList = forwarded.split(",");
-            if (hopList.length >= 1) {
-                return hopList[0];
-            }
-        }
-        return defaultAddress;
-    }
-
     @Extension @Symbol("standard")
     public static final class DescriptorImpl extends CrumbIssuerDescriptor<DefaultCrumbIssuer> implements ModelObject, PersistentDescriptor {
 
@@ -146,5 +158,41 @@ public DefaultCrumbIssuer newInstance(StaplerRequest2 req, JSONObject formData)
         }
     }
 
+    @Extension
+    @Restricted(NoExternalUse.class)
+    public static class ExcludeSessionIdAdministrativeMonitor extends AdministrativeMonitor {
+
+        @Override
+        public boolean isActivated() {
+            final CrumbIssuer crumbIssuer = Jenkins.get().getCrumbIssuer();
+            if (crumbIssuer instanceof DefaultCrumbIssuer) {
+                return EXCLUDE_SESSION_ID;
+            }
+            return false;
+        }
+
+        @Override
+        public boolean isSecurity() {
+            return true;
+        }
+
+        @Override
+        public String getDisplayName() {
+            return "Warn when session ID is excluded from Default Crumb Issuer"; // TODO i18n
+        }
+
+        @POST
+        public void doAct(StaplerRequest2 req, StaplerResponse2 rsp, @QueryParameter String learn, @QueryParameter String dismiss) throws IOException, ServletException {
+            if (learn != null) {
+                rsp.sendRedirect("https://www.jenkins.io/redirect/csrf-protection/");
+                return;
+            }
+            if (dismiss != null) {
+                disable(true);
+            }
+            rsp.forwardToPreviousPage(req);
+        }
+    }
+
     private static final Logger LOGGER = Logger.getLogger(DefaultCrumbIssuer.class.getName());
 }

core/src/main/java/hudson/security/csrf/GlobalCrumbIssuerConfiguration.java

@@ -73,7 +73,7 @@ public static CrumbIssuer createDefaultCrumbIssuer() {
         if (DISABLE_CSRF_PROTECTION) {
             return null;
         }
-        return new DefaultCrumbIssuer(SystemProperties.getBoolean(Jenkins.class.getName() + ".crumbIssuerProxyCompatibility", false));
+        return new DefaultCrumbIssuer();
     }
 
     @Restricted(NoExternalUse.class)

core/src/main/resources/hudson/model/Messages_ja.properties

@@ -53,7 +53,7 @@ AbstractProject.ExtendedReadPermission.Description=\
   このパーミッションを与えると、パスワードのようなビルドの慎重に扱う必要がある情報が公開されてしまうことに注意してください。
 AbstractProject.DiscoverPermission.Description=\
   ジョブの発見を許可します。匿名ユーザがジョブを参照する権限がない場合、ジョブのURLにアクセスしようとすると、\
-  ログインページにリダイレクトします。この検眼がない場合は、404エラーを返します。
+  ログインページにリダイレクトします。この権限がない場合は、404エラーを返します。
 AbstractProject.WipeOutPermission.Description=\
   ワークスペースにあるコンテンツの削除を許可します。
 AbstractProject.CancelPermission.Description=\

core/src/main/resources/hudson/model/Run/console-log.jelly

@@ -29,7 +29,7 @@
     </j:when>
     <!-- output is completed now. -->
     <j:otherwise>
-      <pre class="console-output">
+      <pre id="out" class="console-output">
         <st:getOutput var="output" />
         <j:whitespace>${it.writeLogTo(offset,output)}</j:whitespace>
       </pre>

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/ExcludeSessionIdAdministrativeMonitor/description.jelly

@@ -0,0 +1,28 @@
+<!--
+The MIT License
+
+Copyright (c) 2025, CloudBees, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core">
+    ${%blurb}
+</j:jelly>

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/ExcludeSessionIdAdministrativeMonitor/description.properties

@@ -0,0 +1,2 @@
+blurb = This administrative monitor alerts when the Default Crumb Issuer is configured to exclude session IDs from CSRF protection. \
+  Jenkins no longer includes the IP address in the CSRF crumb generation, so removing the session ID from the CSRF protection weakens security considerably.

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/ExcludeSessionIdAdministrativeMonitor/message.jelly

@@ -0,0 +1,34 @@
+<!--
+The MIT License
+
+Copyright (c) 2025, CloudBees, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
+  <div class="jenkins-alert jenkins-alert-warning">
+    <form method="post" action="${rootURL}/${it.url}/act" name="${it.id}">
+      <f:submit name="learn" value="${%Learn more}"/>
+      <f:submit name="dismiss" value="${%Dismiss}"/>
+    </form>
+    ${%blurb}
+  </div>
+</j:jelly>