[JIRA] [build-pipeline] (JENKINS-22665) BuildPipelineView.MyUserIdCause stores entire hudson.model.User

Thu, 17 Apr 2014 08:12:14 -0700

Issue Type: Bug Bug
Assignee: Unassigned
Components: build-pipeline
Created: 17/Apr/14 3:11 PM
Description:

Since MyUserIdCause.user is not transient, the entire User object is serialized to a build record as per $JENKINS_HOME/users/*/config.xml, including dangerous things like a customized API token and credentials.

And the class is not static, so it serializes a reference to the BuildPipelineView mentioning it.

Example:

<?xml version='1.0' encoding='UTF-8'?>
<build>
  <actions>
    ...
    <hudson.model.CauseAction>
      <causes>
        <au.com.centrumsystems.hudson.plugin.buildpipeline.BuildPipelineView_-MyUserIdCause plugin="[email protected]">
          <userId>[email protected]</userId>
          <user>
            <fullName>Some Person</fullName>
            <properties>
              <jenkins.security.ApiTokenProperty>
                <apiToken>OOPS!</apiToken>
              </jenkins.security.ApiTokenProperty>
              <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="[email protected]">
                <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
                  <entry>
                    ...
                  </entry>
                </domainCredentialsMap>
              </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
              <hudson.model.MyViewsProperty>
                <views>
                  ...
                </views>
              </hudson.model.MyViewsProperty>
              <hudson.plugins.openid.OpenIdUserProperty plugin="[email protected]">
                <identifiers>
                  <string>OOPS!</string>
                </identifiers>
              </hudson.plugins.openid.OpenIdUserProperty>
              ...
            </properties>
          </user>
          <outer-class reference="../user/properties/hudson.model.MyViewsProperty/views/au.com.centrumsystems.hudson.plugin.buildpipeline.BuildPipelineView[10]"/>
        </au.com.centrumsystems.hudson.plugin.buildpipeline.BuildPipelineView_-MyUserIdCause>
      </causes>
    </hudson.model.CauseAction>
    ...
  </actions>
  ...
</build>


A Cause must be a static class with a small serial form. In this case you need only a String userId field; use User.get to retrieve the live object on demand.



(Or just use the standard UserIdCause. It is not clear why you felt the need to subclass that.)
Project: Jenkins
Labels: security
Priority: Critical Critical
Reporter: Jesse Glick
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to