Security context
High· 8.0GHSA-864v-5q2g-fr64 CVE-2020-2222CWE-79Published May 24, 2022

Stored XSS vulnerability in Jenkins 'keep forever' badge icon

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.235.22.236 → fixed in 2.245

Details

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names. As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations. Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.

The fix

[SECURITY-1902]

Wadeck Follonier· Jun 30, 2020, 02:56 PM+1611e7443ef2ef
core/src/main/resources/hudson/model/Run/KeepLogBuildBadge/badge.jelly+1 1
@@ -23,4 +23,4 @@ THE SOFTWARE.
-->
<?jelly escape-by-default='true'?>
-<l:icon class="icon-lock icon-sm" tooltip="${%Keep this build forever}:&lt;br/&gt;${build.whyKeepLog}" xmlns:l="/lib/layout"/>
+<l:icon class="icon-lock icon-sm" tooltip="${%Keep this build forever}:&lt;br/&gt;${h.xmlEscape(build.whyKeepLog)}" xmlns:l="/lib/layout"/>
test/src/test/java/hudson/model/RunSEC1902Test.java+160 0
@@ -0,0 +1,160 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Jorg Heymans
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package hudson.model;
+
+import com.gargoylesoftware.htmlunit.ScriptResult;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.Launcher;
+import hudson.tasks.BuildTrigger;
+import hudson.tasks.Builder;
+import hudson.tasks.Fingerprinter;
+import jenkins.model.Jenkins;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.TestExtension;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.instanceOf;
+import static org.hamcrest.CoreMatchers.not;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
+
+public class RunSEC1902Test {
+
+ @Rule
+ public JenkinsRule j = new JenkinsRule();
+
+ @Issue("SECURITY-1902")
+ @Test public void preventXssInBadgeTooltip() throws Exception {
+ j.jenkins.setQuietPeriod(0);
+ /*
+ * The scenario to trigger is to have a build protected from deletion because of an upstream protected build.
+ * Once we have that condition, we need to ensure the upstream project has a dangerous name
+ */
+ FreeStyleProject up = j.createFreeStyleProject("up");
+ up.getBuildersList().add(new WriteFileStep());
+ up.getPublishersList().add(new Fingerprinter("**/*"));
+
+ FullNameChangingProject down = j.createProject(FullNameChangingProject.class, "down");
+ down.getBuildersList().add(new WriteFileStep());
+ down.getPublishersList().add(new Fingerprinter("**/*"));
+ // protected field, we are in the same package
+ down.keepDependencies = true;
+
+ up.getPublishersList().add(new BuildTrigger(down.getFullName(), false));
+
+ j.jenkins.rebuildDependencyGraph();
+
+ FreeStyleBuild upBuild = j.buildAndAssertSuccess(up);
+ j.waitUntilNoActivity();
+ CustomBuild downBuild = down.getBuilds().getLastBuild();
+ assertNotNull("The down build must exist, otherwise the up's one is not protected.", downBuild);
+
+ // updating the name before the build is problematic under Windows
+ // so we are updating internal stuff manually
+ String newName = "Down<img src=x onerror=alert(123)>Project";
+ down.setVirtualName(newName);
+ Fingerprint f = upBuild.getAction(Fingerprinter.FingerprintAction.class).getFingerprints().get("test.txt");
+ f.add(newName, 1);
+
+ // keeping the minimum to validate it's working and it's not exploitable as there are some modifications
+ // like adding double quotes
+ ensureXssIsPrevented(up, "Down", "<img");
+ }
+
+ private void ensureXssIsPrevented(FreeStyleProject upProject, String validationPart, String dangerousPart) throws Exception {
+ JenkinsRule.WebClient wc = j.createWebClient();
+ HtmlPage htmlPage = wc.goTo(upProject.getUrl());
+
+ // trigger the tooltip display
+ htmlPage.executeJavaScript("document.querySelector('#buildHistory table .build-badge img').dispatchEvent(new Event('mouseover'));");
+ wc.waitForBackgroundJavaScript(500);
+ ScriptResult result = htmlPage.executeJavaScript("document.querySelector('#tt').innerHTML;");
+ Object jsResult = result.getJavaScriptResult();
+ assertThat(jsResult, instanceOf(String.class));
+ String jsResultString = (String) jsResult;
+
+ assertThat("The tooltip does not work as expected", jsResultString, containsString(validationPart));
+ assertThat("XSS not prevented", jsResultString, not(containsString(dangerousPart)));
+ }
+
+ public static class WriteFileStep extends Builder {
+ @Override
+ public boolean perform(AbstractBuild<?, ?> build, Launcher launcher, BuildListener listener) throws InterruptedException, IOException {
+ build.getWorkspace().child("test.txt").write("123", StandardCharsets.UTF_8.name());
+ return true;
+ }
+ }
+
+ public static class CustomBuild extends Build<FullNameChangingProject, CustomBuild> {
+ public CustomBuild(FullNameChangingProject job) throws IOException {
+ super(job);
+ }
+ }
+
+ static class FullNameChangingProject extends Project<FullNameChangingProject, CustomBuild> implements TopLevelItem {
+ private volatile String virtualName;
+
+ public FullNameChangingProject(ItemGroup parent, String name) {
+ super(parent, name);
+ }
+
+ public void setVirtualName(String virtualName) {
+ this.virtualName = virtualName;
+ }
+
+ @Override
+ public String getName() {
+ if (virtualName != null) {
+ return virtualName;
+ } else {
+ return super.getName();
+ }
+ }
+
+ @Override
+ protected Class<CustomBuild> getBuildClass() {
+ return CustomBuild.class;
+ }
+
+ @Override
+ public TopLevelItemDescriptor getDescriptor() {
+ return (FreeStyleProject.DescriptorImpl) Jenkins.get().getDescriptorOrDie(getClass());
+ }
+
+ @TestExtension("preventXssInBadgeTooltip")
+ public static class DescriptorImpl extends AbstractProjectDescriptor {
+
+ @Override
+ public FullNameChangingProject newInstance(ItemGroup parent, String name) {
+ return new FullNameChangingProject(parent, name);
+ }
+ }
+ }
+}

References