Jenkins REST APIs vulnerable to clickjacking
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
Details
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the `X-Frame-Options: deny` HTTP header on REST API responses to protect against clickjacking attacks. An attacker could exploit this by routing the victim through a specially crafted web page that embeds a REST API endpoint in an iframe and tricking the user into performing an action which would allow for the attacker to learn the content of that REST API endpoint. Jenkins 2.219, LTS 2.204.2 now adds the `X-Frame-Options: deny` HTTP header to REST API responses, which prevents these types of clickjacking attacks.
The fix
[SECURITY-1704]
core/src/main/java/hudson/model/Api.java+4 −0
@@ -246,6 +246,10 @@ private boolean permit(StaplerRequest req) {protected void setHeaders(StaplerResponse rsp) {rsp.setHeader("X-Jenkins", Jenkins.VERSION);rsp.setHeader("X-Jenkins-Session", Jenkins.SESSION_HASH);+// to be really defensive against dumb browsers not taking into consideration the content-type being set+rsp.setHeader("X-Content-Type-Options", "nosniff");+// recommended by OWASP: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-headers+rsp.setHeader("X-Frame-Options", "deny");}private static final Logger LOGGER = Logger.getLogger(Api.class.getName());
test/src/test/java/hudson/model/ApiSEC1704Test.java+109 −0
@@ -0,0 +1,109 @@+/*+* The MIT License+*+* Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Yahoo!, Inc.+*+* Permission is hereby granted, free of charge, to any person obtaining a copy+* of this software and associated documentation files (the "Software"), to deal+* in the Software without restriction, including without limitation the rights+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell+* copies of the Software, and to permit persons to whom the Software is+* furnished to do so, subject to the following conditions:+*+* The above copyright notice and this permission notice shall be included in+* all copies or substantial portions of the Software.+*+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN+* THE SOFTWARE.+*/+package hudson.model;++import com.gargoylesoftware.htmlunit.WebResponse;+import org.junit.Rule;+import org.junit.Test;+import org.jvnet.hudson.test.Issue;+import org.jvnet.hudson.test.JenkinsRule;+import org.jvnet.hudson.test.TestExtension;+import org.kohsuke.stapler.export.ExportedBean;++import javax.annotation.CheckForNull;++import static org.hamcrest.Matchers.equalTo;+import static org.junit.Assert.assertThat;++//TODO to be merged back to ApiTest after security release+/**+* @author Kohsuke Kawaguchi+*/+public class ApiSEC1704Test {++@Rule+public JenkinsRule j = new JenkinsRule();++@Test+@Issue("SECURITY-1704")+public void project_notExposedToIFrame() throws Exception {+FreeStyleProject p = j.createFreeStyleProject("p");+ensureXmlIsNotExposedToIFrame(p.getUrl());+ensureJsonIsNotExposedToIFrame(p.getUrl());+ensurePythonIsNotExposedToIFrame(p.getUrl());+}++@Test+@Issue("SECURITY-1704")+public void custom_notExposedToIFrame() throws Exception {+ensureXmlIsNotExposedToIFrame("custom/");+ensureJsonIsNotExposedToIFrame("custom/");+ensurePythonIsNotExposedToIFrame("custom/");+}++private void ensureXmlIsNotExposedToIFrame(String itemUrl) throws Exception {+WebResponse response = j.createWebClient().goTo(itemUrl + "api/xml", "application/xml").getWebResponse();+assertThat(response.getResponseHeaderValue("X-Frame-Options"), equalTo("deny"));+}++private void ensureJsonIsNotExposedToIFrame(String itemUrl) throws Exception {+WebResponse response = j.createWebClient().goTo(itemUrl + "api/json", "application/json").getWebResponse();+assertThat(response.getResponseHeaderValue("X-Frame-Options"), equalTo("deny"));+}++private void ensurePythonIsNotExposedToIFrame(String itemUrl) throws Exception {+WebResponse response = j.createWebClient().goTo(itemUrl + "api/python", "text/x-python").getWebResponse();+assertThat(response.getResponseHeaderValue("X-Frame-Options"), equalTo("deny"));+}++@TestExtension("custom_notExposedToIFrame")+public static class CustomObject implements RootAction {+@Override+public @CheckForNull String getIconFileName() {+return null;+}++@Override+public @CheckForNull String getDisplayName() {+return null;+}++@Override+public @CheckForNull String getUrlName() {+return "custom";+}++public Api getApi() {+return new Api(new CustomData("s3cr3t"));+}++@ExportedBean+class CustomData {+private String secret;+CustomData(String secret){+this.secret = secret;+}+}+}+}
test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerSEC1704Test.java+63 −0
@@ -0,0 +1,63 @@+/**+* Copyright (c) 2008-2010 Yahoo! Inc.+* All rights reserved.+* The copyrights to the contents of this file are licensed under the MIT License (http://www.opensource.org/licenses/mit-license.php)+*/++package hudson.security.csrf;++import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;+import com.gargoylesoftware.htmlunit.WebResponse;+import com.gargoylesoftware.htmlunit.html.DomElement;+import com.gargoylesoftware.htmlunit.html.HtmlPage;+import hudson.model.FreeStyleProject;+import hudson.model.User;+import org.junit.Before;+import org.junit.Rule;+import org.junit.Test;+import org.jvnet.hudson.test.Issue;+import org.jvnet.hudson.test.JenkinsRule;+import org.jvnet.hudson.test.JenkinsRule.WebClient;++import static org.hamcrest.Matchers.equalTo;+import static org.junit.Assert.assertEquals;+import static org.junit.Assert.assertThat;+import static org.junit.Assert.assertTrue;+import static org.junit.Assert.fail;++/**+*+* @author dty+*/+//TODO merge back to DefaultCrumbIssuerTest+public class DefaultCrumbIssuerSEC1704Test {++@Rule public JenkinsRule r = new JenkinsRule();++@Before public void setIssuer() {+r.jenkins.setCrumbIssuer(new DefaultCrumbIssuer(false));+}++@Test+@Issue("SECURITY-1704")+public void custom_notExposedToIFrame() throws Exception {+ensureXmlIsNotExposedToIFrame("crumbIssuer/");+ensureJsonIsNotExposedToIFrame("crumbIssuer/");+ensurePythonIsNotExposedToIFrame("crumbIssuer/");+}++private void ensureXmlIsNotExposedToIFrame(String itemUrl) throws Exception {+WebResponse response = r.createWebClient().goTo(itemUrl + "api/xml", "application/xml").getWebResponse();+assertThat(response.getResponseHeaderValue("X-Frame-Options"), equalTo("deny"));+}++private void ensureJsonIsNotExposedToIFrame(String itemUrl) throws Exception {+WebResponse response = r.createWebClient().goTo(itemUrl + "api/json", "application/json").getWebResponse();+assertThat(response.getResponseHeaderValue("X-Frame-Options"), equalTo("deny"));+}++private void ensurePythonIsNotExposedToIFrame(String itemUrl) throws Exception {+WebResponse response = r.createWebClient().goTo(itemUrl + "api/python", "text/x-python").getWebResponse();+assertThat(response.getResponseHeaderValue("X-Frame-Options"), equalTo("deny"));+}+}
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2105
- WEBhttps://github.com/jenkinsci/jenkins/commit/639ade55caa05324c60d15b2fa8df27ee0111b76
- WEBhttps://access.redhat.com/errata/RHBA-2020:0402
- WEBhttps://access.redhat.com/errata/RHBA-2020:0675
- WEBhttps://access.redhat.com/errata/RHSA-2020:0681
- WEBhttps://access.redhat.com/errata/RHSA-2020:0683
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://jenkins.io/security/advisory/2020-01-29/#SECURITY-1704
- WEBhttp://www.openwall.com/lists/oss-security/2020/01/29/1