Branch: refs/heads/master Home: https://github.com/jenkinsci/gerrit-code-review-plugin Commit: a02a89fc4dc6b93af4f50052c8cdfb2df160f84c https://github.com/jenkinsci/gerrit-code-review-plugin/commit/a02a89fc4dc6b93af4f50052c8cdfb2df160f84c Author: Luca Milanesio <luca.milane...@gmail.com> Date: 2024-01-18 (Thu, 18 Jan 2024)
Changed paths: M src/main/java/jenkins/plugins/gerrit/GerritSCMSource.java M src/main/java/jenkins/plugins/gerrit/GerritWebHook.java M src/main/resources/jenkins/plugins/gerrit/GerritSCMNavigator/config.jelly A src/main/resources/jenkins/plugins/gerrit/GerritSCMNavigator/help-apiKey.html M src/main/resources/jenkins/plugins/gerrit/GerritSCMSource/config-detail.jelly A src/main/resources/jenkins/plugins/gerrit/GerritSCMSource/help-apiKey.html A src/test/java/hudson/util/TestSecret.java M src/test/java/jenkins/plugins/gerrit/GerritWebHookTriggerTest.java Log Message: ----------- [SECURITY-2847] Introduce apiKey/jobName to WebHooks to prevent abuse The /gerrit-webhook/ endpoint allows the rescan of the SCM branches as soon as a Gerrit ref-update (or other event) is received, thanks to the integration with Gerrit web-hooks. However, the trigger can be also executed by a malicious user that could "guess" the project name by suffix and therefore cause a significant server overload due to the retriggering of the SCM scans. Introduce an additional apiKey parameter to the Gerrit SCM Source as an additional layer of security to prevent abuse by a malicious REST-API execution. P.S. The apiKey needs to be specified as URL query parameter because of the current lack of support of extra HTTP headers by Gerrit web-hooks. Also add a secondary 'jobName' in the query string for preventing the accidental matching of projects by SCM source suffixes: only the multi-branch pipeline matching exactly the job name specified will be considered for triggering the SCM source events. NOTE: This is a breaking change for existing job definitions and webhooks configuration because the apiKey is a mandatory parameter, its absence would cause the webhook to fail and existing jobs to miss the automatic triggering. Change-Id: I55ceb10a00981f6c0f889616ee906f1d002782cb -- You received this message because you are subscribed to the Google Groups "Jenkins Commits" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-commits+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/gerrit-code-review-plugin/push/refs/heads/master/d9df64-a02a89%40github.com.