[SECURITY-3225] Possible exposure of system-scoped credentials during configuration validation

Signed-off-by: Olivier Lamy <olamy@apache.org>

Author: olamy

src/main/java/hudson/plugins/jira/JiraSite.java

@@ -694,22 +694,30 @@ public JiraSession getSession() {
      */
     @Nullable
     public JiraSession getSession(Item item) {
+        return getSession(item, false);
+    }
+
+    JiraSession getSession(Item item, boolean uiValidation) {
         if (jiraSession == null) {
-            jiraSession = createSession(item);
+            jiraSession = createSession(item, uiValidation);
         }
         return jiraSession;
     }
 
+    JiraSession createSession(Item item) {
+        return createSession(item, false);
+    }
+
     /**
      * Creates a remote access session to this Jira.
      *
      * @return null if remote access is not supported.
      */
-    JiraSession createSession(Item item) {
+    JiraSession createSession(Item item, boolean uiValidation) {
         ItemGroup itemGroup = map(item);
         item = itemGroup instanceof Folder ? ((Folder) itemGroup) : item;
 
-        StandardUsernamePasswordCredentials credentials = resolveCredentials(item);
+        StandardUsernamePasswordCredentials credentials = resolveCredentials(item, uiValidation);
 
         if (credentials == null) {
             LOGGER.fine("no Jira credentials available for " + item);
@@ -735,8 +743,10 @@ Lock getProjectUpdateLock() {
     /**
      * This method only supports credential matching by credentialsId.
      * Older methods are not and will not be supported as the credentials should have been migrated already.
+     * @param item can be <code>null</code> if top level
+     * @param uiValidation if <code>true</code> and credentials not found at item level will not go up
      */
-    private StandardUsernamePasswordCredentials resolveCredentials(Item item) {
+    private StandardUsernamePasswordCredentials resolveCredentials(Item item, boolean uiValidation) {
         if (credentialsId == null) {
             LOGGER.fine("credentialsId is null");
             return null; // remote access not supported
@@ -746,12 +756,17 @@ private StandardUsernamePasswordCredentials resolveCredentials(Item item) {
                 .build();
 
         if (item != null) {
-            StandardUsernamePasswordCredentials creds = CredentialsMatchers.firstOrNull(
+            StandardUsernamePasswordCredentials credentials = CredentialsMatchers.firstOrNull(
                     CredentialsProvider.lookupCredentials(
                             StandardUsernamePasswordCredentials.class, item, ACL.SYSTEM, req),
                     CredentialsMatchers.withId(credentialsId));
-            if (creds != null) {
-                return creds;
+            if (credentials != null) {
+                return credentials;
+            }
+            // during UI validation of the configuration we definitely don't want to expose
+            // global credentials
+            if (uiValidation) {
+                return null;
             }
         }
         return CredentialsMatchers.firstOrNull(
@@ -1371,9 +1386,11 @@ public FormValidation doValidate(
             site.setReadTimeout(readTimeout);
             site.setThreadExecutorNumber(threadExecutorNumber);
             site.setUseBearerAuth(useBearerAuth);
-            JiraSession session = null;
             try {
-                session = site.getSession(item);
+                JiraSession session = site.getSession(item, true);
+                if (session == null) {
+                    return FormValidation.error("Cannot validate configuration");
+                }
                 session.getMyPermissions();
                 return FormValidation.ok("Success");
             } catch (RestClientException e) {

src/test/java/hudson/plugins/jira/ChangingWorkflowTest.java

@@ -4,6 +4,7 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.nullValue;
+import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.ArgumentMatchers.isNull;
@@ -112,8 +113,9 @@ public void getActionIdReturnsIdWhenFoundIgnorecaseWorkflow() {
 
     @Test
     public void addCommentsOnNonEmptyWorkflowAndNonEmptyComment() throws Exception {
+        when(site.getSession(any(), anyBoolean())).thenCallRealMethod();
         when(site.getSession(any())).thenCallRealMethod();
-        when(site.createSession(any())).thenReturn(mockSession);
+        when(site.createSession(any(), anyBoolean())).thenReturn(mockSession);
         site.getSession(mockItem);
 
         when(mockSession.getIssuesFromJqlSearch(anyString())).thenReturn(Arrays.asList(mock(Issue.class)));
@@ -130,7 +132,8 @@ public void addCommentsOnNonEmptyWorkflowAndNonEmptyComment() throws Exception {
     @Test
     public void addCommentsOnNullWorkflowAndNonEmptyComment() throws Exception {
         when(site.getSession(any())).thenCallRealMethod();
-        when(site.createSession(any())).thenReturn(mockSession);
+        when(site.getSession(any(), anyBoolean())).thenCallRealMethod();
+        when(site.createSession(any(), anyBoolean())).thenReturn(mockSession);
         site.getSession(mockItem);
 
         when(mockSession.getIssuesFromJqlSearch(anyString())).thenReturn(Arrays.asList(mock(Issue.class)));

src/test/java/hudson/plugins/jira/DescriptorImplTest.java

@@ -125,7 +125,7 @@ public void validateFormConnectionErrors() throws Exception {
         when(descriptor.getBuilder()).thenReturn(builder);
         when(builder.build()).thenReturn(site);
         when(build.getParent()).thenReturn(project);
-        when(site.getSession(project)).thenReturn(session);
+        when(site.getSession(project, true)).thenReturn(session);
         when(session.getMyPermissions()).thenThrow(RestClientException.class);
 
         FormValidation validation = descriptor.doValidate(
@@ -142,7 +142,7 @@ public void validateFormConnectionErrors() throws Exception {
                 project);
 
         assertEquals(FormValidation.Kind.ERROR, validation.kind);
-        verify(site).getSession(project);
+        verify(site).getSession(project, true);
 
         validation = descriptor.doValidate(
                 "http://localhost:8080",
@@ -158,7 +158,7 @@ public void validateFormConnectionErrors() throws Exception {
                 project);
         assertEquals(Messages.JiraSite_timeoutMinimunValue("1"), validation.getLocalizedMessage());
         assertEquals(FormValidation.Kind.ERROR, validation.kind);
-        verify(site).getSession(project);
+        verify(site).getSession(project, true);
 
         validation = descriptor.doValidate(
                 "http://localhost:8080",
@@ -175,7 +175,7 @@ public void validateFormConnectionErrors() throws Exception {
 
         assertEquals(Messages.JiraSite_readTimeoutMinimunValue("1"), validation.getMessage());
         assertEquals(FormValidation.Kind.ERROR, validation.kind);
-        verify(site).getSession(project);
+        verify(site).getSession(project, true);
 
         validation = descriptor.doValidate(
                 "http://localhost:8080",
@@ -191,7 +191,7 @@ public void validateFormConnectionErrors() throws Exception {
                 project);
         assertEquals(Messages.JiraSite_threadExecutorMinimunSize("1"), validation.getMessage());
         assertEquals(FormValidation.Kind.ERROR, validation.kind);
-        verify(site).getSession(project);
+        verify(site).getSession(project, true);
     }
 
     @Test
@@ -200,7 +200,7 @@ public void validateFormConnectionOK() throws Exception {
 
         when(descriptor.getBuilder()).thenReturn(builder);
         when(builder.build()).thenReturn(site);
-        when(site.getSession(project)).thenReturn(session);
+        when(site.getSession(project, true)).thenReturn(session);
         when(session.getMyPermissions()).thenReturn(mock(Permissions.class));
 
         FormValidation validation = descriptor.doValidate(
@@ -217,7 +217,7 @@ public void validateFormConnectionOK() throws Exception {
                 project);
 
         verify(builder).build();
-        verify(site).getSession(project);
+        verify(site).getSession(project, true);
         assertEquals(FormValidation.Kind.OK, validation.kind);
     }
 }

src/test/java/hudson/plugins/jira/JiraCreateReleaseNotesTest.java

@@ -4,6 +4,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
@@ -89,9 +90,9 @@ public void createCommonMocks() throws IOException, InterruptedException {
             }
         });
 
-        when(site.createSession(any())).thenReturn(session);
-        when(site.getSession(any())).thenCallRealMethod();
-        site.getSession(mockItem);
+        when(site.createSession(any(), anyBoolean())).thenReturn(session);
+        when(site.getSession(any(), anyBoolean())).thenCallRealMethod();
+        site.getSession(mockItem, false);
     }
 
     @Test

src/test/java/hudson/plugins/jira/JiraFolderPropertyTest.java

@@ -10,6 +10,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.stream.StreamSupport;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;
@@ -37,14 +38,9 @@ public void configRoundtrip() throws Exception {
     }
 
     public static CredentialsStore getFolderStore(Folder f) {
-        Iterable<CredentialsStore> stores = CredentialsProvider.lookupStores(f);
-        CredentialsStore folderStore = null;
-        for (CredentialsStore s : stores) {
-            if (s.getProvider() instanceof FolderCredentialsProvider && s.getContext() == f) {
-                folderStore = s;
-                break;
-            }
-        }
-        return folderStore;
+        return StreamSupport.stream(CredentialsProvider.lookupStores(f).spliterator(), false)
+                .filter(s -> s.getProvider() instanceof FolderCredentialsProvider && s.getContext() == f)
+                .findFirst()
+                .orElse(null);
     }
 }

src/test/java/hudson/plugins/jira/JiraSiteSecurity1029Test.java

@@ -1,5 +1,6 @@
 package hudson.plugins.jira;
 
+import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.nullValue;
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -33,6 +34,7 @@
 import org.htmlunit.HttpMethod;
 import org.htmlunit.Page;
 import org.htmlunit.WebRequest;
+import org.htmlunit.WebResponse;
 import org.htmlunit.util.NameValuePair;
 import org.junit.After;
 import org.junit.Rule;
@@ -167,6 +169,30 @@ public void cannotLeakCredentials() throws Exception {
             assertThat(servlet.getPasswordAndReset(), nullValue());
         }
 
+        { // as an user with just read access, I may not be able to leak any credentials with fake id in a folder
+            Folder folder = j.jenkins.createProject(
+                    Folder.class, "folder" + j.jenkins.getItems().size());
+
+            JenkinsRule.WebClient wc = j.createWebClient();
+            wc.getOptions().setThrowExceptionOnFailingStatusCode(false);
+            wc.withBasicApiToken(userFolderConfigure);
+
+            String jiraSiteValidateUrl = j.jenkins.getRootUrl() + folder.getUrl() + "descriptorByName/"
+                    + JiraSite.class.getName() + "/validate";
+            WebRequest request = new WebRequest(new URL(jiraSiteValidateUrl), HttpMethod.POST);
+            request.setRequestParameters(Arrays.asList(
+                    new NameValuePair("threadExecutorNumber", "1"),
+                    new NameValuePair("url", serverUri.toString()),
+                    new NameValuePair("credentialsId", "aussie-beer-is-the-best"), // use a non existing id on purpose
+                    new NameValuePair("useHTTPAuth", "true")));
+
+            Page page = wc.getPage(request);
+            WebResponse webResponse = page.getWebResponse();
+            assertThat(webResponse.getStatusCode(), equalTo(200));
+            assertThat(webResponse.getContentAsString(), containsString("Cannot validate configuration"));
+            assertThat(servlet.getPasswordAndReset(), nullValue());
+        }
+
         { // as an user with configure access, I can access
             Folder folder = j.jenkins.createProject(
                     Folder.class, "folder" + j.jenkins.getItems().size());