Fix CVE-2022-27204 / SECURITY-1350

[ciis0]

https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-1350

Implement suggestion from https://www.jenkins.io/doc/developer/security/form-validation/

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira: SECURITY-1350
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

Fix CVE from title by applying suggestions from https://www.jenkins.io/doc/developer/security/form-validation/.

[ciis0]

Locally, GET does not work anymore:

C:\Users\A613952>curl.exe -v -u admin:<snip> "http://localhost:8080/job/test/descriptorByName/com.cwctravel.hudson.plugins.extended_choice_parameter.ExtendedChoiceParameterDefinition/checkPropertyFile?propertyFile=https%3A%2F%2Fssrf.example.com"
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'admin'
> GET /job/test/descriptorByName/com.cwctravel.hudson.plugins.extended_choice_parameter.ExtendedChoiceParameterDefinition/checkPropertyFile?propertyFile=https%3A%2F%2Fssrf.example.com HTTP/1.1
> Host: localhost:8080
> Authorization: Basic <snip>
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< X-Content-Type-Options: nosniff
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=iso-8859-1
< Content-Length: 576
< Server: Jetty(9.4.43.v20210629)
<
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404 Not Found</h2>
<table>
<tr><th>URI:</th><td>/job/test/descriptorByName/com.cwctravel.hudson.plugins.extended_choice_parameter.ExtendedChoiceParameterDefinition/checkPropertyFile</td></tr>
<tr><th>STATUS:</th><td>404</td></tr>
<tr><th>MESSAGE:</th><td>Not Found</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.43.v20210629</a><hr/>

</body>
</html>
* Connection #0 to host localhost left intact

And POST is CSRF protected:

C:\Users\A613952>curl.exe -X POST -v -u admin:<snip> "http://localhost:8080/job/test/descriptorByName/com.cwctravel.hudson.plugins.extended_choice_parameter.ExtendedChoiceParameterDefinition/checkPropertyFile?propertyFile=https%3A%2F%2Fssrf.example.com"
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'admin'
> POST /job/test/descriptorByName/com.cwctravel.hudson.plugins.extended_choice_parameter.ExtendedChoiceParameterDefinition/checkPropertyFile?propertyFile=https%3A%2F%2Fssrf.example.com HTTP/1.1
> Host: localhost:8080
> Authorization: Basic <snip>
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< X-Content-Type-Options: nosniff
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=iso-8859-1
< Content-Length: 675
< Server: Jetty(9.4.43.v20210629)
<
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403 No valid crumb was included in the request</h2>
<table>
<tr><th>URI:</th><td>/job/test/descriptorByName/com.cwctravel.hudson.plugins.extended_choice_parameter.ExtendedChoiceParameterDefinition/checkPropertyFile</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>No valid crumb was included in the request</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.43.v20210629</a><hr/>

</body>
</html>
* Connection #0 to host localhost left intact

[foxdalas]

@vimil Hi! What do you think about this pr?

[LukaSvastVolue]

@vimil any progress here, it would be great if this fix is merged

[ciis0]

Pinging more members who could have write access
@Vlatombe @oleg-nenashev @cjo9900 @olivergondza @mat1e

[charlysotelo]

Pretty please? What can we do to move this along?

[paul-uz]

+1

[ciis0]

Note: You can download my fixed version from CI:

https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fextended-choice-parameter-plugin/detail/PR-39/1/artifacts

https://ci.jenkins.io/job/Plugins/job/extended-choice-parameter-plugin/job/PR-39/1/artifact/org/jenkins-ci/plugins/extended-choice-parameter/347.va_2f0c3b_f1849/extended-choice-parameter-347.va_2f0c3b_f1849.hpi

[seam33]

@ciis0 Hi, I am using your fixed version and the warning keeps to pop up. So, I would like to know when you can merge the new version? Does we need waiting more time? It is important because, I am using it in some workflows....

[criztovyl]

Hi @seam33,

ciis0 does not have the permission to merge the PR, that needs to be done by an official Jenkins maintainer, but we could not get the attention of one yet.

As such we'll need more patience.

[daniel-beck]

This fix looks incomplete, it only addresses the CSRF issue, not the missing permission checks.

Regarding getting a new release with security issues being fixed when maintainers are unresponsive, see https://www.jenkins.io/doc/developer/plugin-governance/adopt-a-plugin/

[criztovyl]

For CVE-2022-27204 the fix is complete (perm check is 05), only for SECURITY-1350 it is incomplete.

I consider the CSRF more severe and easy to fix, while the perm check is not as severe and not as easy to fix.

I will have a look at adopting the plugin.

[daniel-beck]

For GHSA-fqpx-xfjr-2qr9 the fix is complete (perm check is 05)

Good point. We'd still leave the security warning up even if this is addressed, because there's only one advisory entry and warning for both CVEs.

… more severe … not as severe …

Depends on your setup, if you were an admin of ci.jenkins.io you'd see this differently :)