[SECURITY-3075] getAggregateSecretPattern to fail when run inside agent JVM
#260
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
🤔 Given jenkinsci/workflow-api-plugin#290 I should probably write a test to make sure that the ISE is not just caught and ignored. |
…ding-plugin into SECURITY-3075-strict
…ar indication of the plugin bug
jglick
commented
Jul 27, 2023
Comment on lines
+63
to
+65
| /* Not currently ensured: | ||
| r.assertLogNotContains("s3cr3t", b); | ||
| */ |
There was a problem hiding this comment.
At first I thought I might have getAggregateSecretPattern log a warning but return Pattern.compile(".+") to guarantee that the secret (along with everything else) is masked. But this just seemed confusing, and the stack trace would be shown only in the agent log, not the controller log nor build console. So I settled on just throwing the exception, which results in a warning in the agent log but also a clear error in the build log:
Started
[Pipeline] Start of Pipeline
[Pipeline] node
Running on remote in /…/agent-work-dirs/remote/workspace/p
[Pipeline] {
[Pipeline] isUnix
[Pipeline] sh
java.lang.IllegalStateException: Not running on the Jenkins controller JVM
at jenkins.util.JenkinsJVM.checkJenkinsJVM(JenkinsJVM.java:46)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns.getAggregateSecretPattern(SecretPatterns.java:57)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatternsTest$BadMasker.decorate(SecretPatternsTest.java:73)
at org.jenkinsci.plugins.workflow.log.TaskListenerDecorator.decorateAll(TaskListenerDecorator.java:231)
at org.jenkinsci.plugins.workflow.log.TaskListenerDecorator$DecoratedTaskListener.getLogger(TaskListenerDecorator.java:269)
at org.jenkinsci.plugins.workflow.log.TaskListenerDecorator$CloseableTaskListener.getLogger(TaskListenerDecorator.java:306)
at org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep$Execution$NewlineSafeTaskListener.getLogger(DurableTaskStep.java:458)
at org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep$HandlerImpl.output(DurableTaskStep.java:723)
at org.jenkinsci.plugins.durabletask.FileMonitoringTask$Watcher.run(FileMonitoringTask.java:611)
at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:67)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
+ echo do not look at s3cr3t please
do not look at s3cr3t please
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
This makes it obvious to both end users and the plugin developer that something is broken in the plugin, so it should lead to the bad masking actually getting fixed.
Comment on lines
+73
to
+74
| Pattern pattern = SecretPatterns.getAggregateSecretPattern(Set.of("s3cr3t")); | ||
| return new SecretPatterns.MaskingOutputStream(logger, () -> pattern, "UTF-8"); |
There was a problem hiding this comment.
As opposed to
Suggested change
| Pattern pattern = SecretPatterns.getAggregateSecretPattern(Set.of("s3cr3t")); | |
| return new SecretPatterns.MaskingOutputStream(logger, () -> pattern, "UTF-8"); | |
| return new SecretPatterns.MaskingOutputStream(logger, () -> SecretPatterns.getAggregateSecretPattern(Set.of("s3cr3t")), "UTF-8"); |
as in the code prior to jenkinsci/azure-keyvault-plugin@f46b7fa for example. In this case the exception is thrown from a different spot and handled differently:
Started
[Pipeline] Start of Pipeline
[Pipeline] node
Running on remote in /…/agent-work-dirs/remote/workspace/p
[Pipeline] {
[Pipeline] isUnix
[Pipeline] sh
java.lang.IllegalStateException: Not running on the Jenkins controller JVM
at jenkins.util.JenkinsJVM.checkJenkinsJVM(JenkinsJVM.java:46)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns.getAggregateSecretPattern(SecretPatterns.java:57)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatternsTest$BadMasker.lambda$decorate$0(SecretPatternsTest.java:73)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns$MaskingOutputStream.eol(SecretPatterns.java:93)
at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
at java.base/java.io.PrintStream.write(PrintStream.java:528)
at java.base/java.io.FilterOutputStream.write(FilterOutputStream.java:87)
at org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep$Execution$NewlineSafeTaskListener$1.write(DurableTaskStep.java:462)
at java.base/java.io.FilterOutputStream.write(FilterOutputStream.java:137)
at org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep$Execution$NewlineSafeTaskListener$1.write(DurableTaskStep.java:466)
at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1310)
at org.apache.commons.io.IOUtils.copy(IOUtils.java:978)
at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1282)
at org.apache.commons.io.IOUtils.copy(IOUtils.java:953)
at org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep$HandlerImpl.output(DurableTaskStep.java:737)
at org.jenkinsci.plugins.durabletask.FileMonitoringTask$Watcher.run(FileMonitoringTask.java:611)
at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:67)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
with the agent printing a warning
WARNING: giving up on watching …
timja
approved these changes
Jul 27, 2023
|
Caused jenkinsci/hashicorp-vault-plugin#311 and JENKINS-71788. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cleans up after #239, especially relevant now given jenkinsci/workflow-durable-task-step-plugin#323.