[JENKINS-73422] Add escape hatch for Authenticated user access to Resource URL (jenkinsci#9644)

Dohbedoh · daniel-beck · web-flow · commit 5fe9a448059c · 2024-08-30T14:26:27.000+01:00
Co-authored-by: Daniel Beck &lt;1831569+daniel-beck@users.noreply.github.com&gt;
diff --git a/core/src/main/java/jenkins/security/ResourceDomainRootAction.java b/core/src/main/java/jenkins/security/ResourceDomainRootAction.java
@@ -117,7 +117,7 @@ public Object getDynamic(String id, StaplerRequest req, StaplerResponse rsp) thr
             return null;
         }
 
-        if (!ACL.isAnonymous2(Jenkins.getAuthentication2())) {
+        if (!ALLOW_AUTHENTICATED_USER && !ACL.isAnonymous2(Jenkins.getAuthentication2())) {
             rsp.sendError(400);
             return null;
         }
@@ -327,4 +327,8 @@ private static Token decode(String value) {
     // Not @Restricted because the entire class is
     @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
     public static /* not final for Groovy */ int VALID_FOR_MINUTES = SystemProperties.getInteger(ResourceDomainRootAction.class.getName() + ".validForMinutes", 30);
+
+    /* Escape hatch for a security hardening preventing one of the known ways to elevate arbitrary file read to RCE */
+    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
+    public static /* not final for Groovy */ boolean ALLOW_AUTHENTICATED_USER = SystemProperties.getBoolean(ResourceDomainRootAction.class.getName() + ".allowAuthenticatedUser", false);
 }
diff --git a/test/src/test/java/jenkins/security/ResourceDomainTest.java b/test/src/test/java/jenkins/security/ResourceDomainTest.java
@@ -399,7 +399,7 @@ public HttpResponse doDynamic() throws Exception {
     }
 
     @Test
-    public void authenticatedCannotAccessResourceDomain() throws Exception {
+    public void authenticatedCannotAccessResourceDomainUnlessAllowedBySystemProperty() throws Exception {
         j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
         final MockAuthorizationStrategy authorizationStrategy = new MockAuthorizationStrategy();
         authorizationStrategy.grant(Jenkins.ADMINISTER).everywhere().to("admin").grant(Jenkins.READ).everywhere().toEveryone();
@@ -416,5 +416,13 @@ public void authenticatedCannotAccessResourceDomain() throws Exception {
         try (JenkinsRule.WebClient wc = j.createWebClient().withBasicCredentials("admin")) {
             assertThat(assertThrows(FailingHttpStatusCodeException.class, () -> wc.getPage(new URL(resourceUrl))).getStatusCode(), is(400));
         }
+
+        ResourceDomainRootAction.ALLOW_AUTHENTICATED_USER = true;
+        try (JenkinsRule.WebClient wc = j.createWebClient().withBasicApiToken("admin")) {
+            assertThat(wc.getPage(new URL(resourceUrl)).getWebResponse().getStatusCode(), is(200));
+        }
+        try (JenkinsRule.WebClient wc = j.createWebClient().withBasicCredentials("admin")) {
+            assertThat(wc.getPage(new URL(resourceUrl)).getWebResponse().getStatusCode(), is(200));
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ public Object getDynamic(String id, StaplerRequest req, StaplerResponse rsp) thr`
`117`	`117`	`return null;`
`118`	`118`	`}`
`119`	`119`
`120`		`- if (!ACL.isAnonymous2(Jenkins.getAuthentication2())) {`
	`120`	`+ if (!ALLOW_AUTHENTICATED_USER && !ACL.isAnonymous2(Jenkins.getAuthentication2())) {`
`121`	`121`	`rsp.sendError(400);`
`122`	`122`	`return null;`
`123`	`123`	`}`
`@@ -327,4 +327,8 @@ private static Token decode(String value) {`
`327`	`327`	`// Not @Restricted because the entire class is`
`328`	`328`	`@SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")`
`329`	`329`	`public static /* not final for Groovy */ int VALID_FOR_MINUTES = SystemProperties.getInteger(ResourceDomainRootAction.class.getName() + ".validForMinutes", 30);`
	`330`	`+`
	`331`	`+ /* Escape hatch for a security hardening preventing one of the known ways to elevate arbitrary file read to RCE */`
	`332`	`+ @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")`
	`333`	`+ public static /* not final for Groovy */ boolean ALLOW_AUTHENTICATED_USER = SystemProperties.getBoolean(ResourceDomainRootAction.class.getName() + ".allowAuthenticatedUser", false);`
`330`	`334`	`}`
Original file line number	Diff line number	Diff line change
`@@ -399,7 +399,7 @@ public HttpResponse doDynamic() throws Exception {`
`399`	`399`	`}`
`400`	`400`
`401`	`401`	`@Test`
`402`		`- public void authenticatedCannotAccessResourceDomain() throws Exception {`
	`402`	`+ public void authenticatedCannotAccessResourceDomainUnlessAllowedBySystemProperty() throws Exception {`
`403`	`403`	`j.jenkins.setSecurityRealm(j.createDummySecurityRealm());`
`404`	`404`	`final MockAuthorizationStrategy authorizationStrategy = new MockAuthorizationStrategy();`
`405`	`405`	`authorizationStrategy.grant(Jenkins.ADMINISTER).everywhere().to("admin").grant(Jenkins.READ).everywhere().toEveryone();`
`@@ -416,5 +416,13 @@ public void authenticatedCannotAccessResourceDomain() throws Exception {`
`416`	`416`	`try (JenkinsRule.WebClient wc = j.createWebClient().withBasicCredentials("admin")) {`
`417`	`417`	`assertThat(assertThrows(FailingHttpStatusCodeException.class, () -> wc.getPage(new URL(resourceUrl))).getStatusCode(), is(400));`
`418`	`418`	`}`
	`419`	`+`
	`420`	`+ ResourceDomainRootAction.ALLOW_AUTHENTICATED_USER = true;`
	`421`	`+ try (JenkinsRule.WebClient wc = j.createWebClient().withBasicApiToken("admin")) {`
	`422`	`+ assertThat(wc.getPage(new URL(resourceUrl)).getWebResponse().getStatusCode(), is(200));`
	`423`	`+ }`
	`424`	`+ try (JenkinsRule.WebClient wc = j.createWebClient().withBasicCredentials("admin")) {`
	`425`	`+ assertThat(wc.getPage(new URL(resourceUrl)).getWebResponse().getStatusCode(), is(200));`
	`426`	`+ }`
`419`	`427`	`}`
`420`	`428`	`}`