Jenkins Cross-Site Scripting vulnerability in help icons
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 2.235.42.236 → fixed in 2.252
Details
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability. Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.
The fix
[SECURITY-1955]
core/src/main/resources/lib/layout/svgIcon.jelly+2 −2
@@ -34,7 +34,7 @@aria-hidden="${attrs.ariaHidden != null ? attrs.ariaHidden : ''}"style="${attrs.style}"onclick="${attrs.onclick}"-tooltip="${attrs.tooltip}">+tooltip="${h.xmlEscape(attrs.tooltip ?: '')}"><j:choose><j:when test="${attrs.href != null}">@@ -46,4 +46,4 @@</j:choose></svg>-</j:jelly>+</j:jelly>
test/src/test/java/lib/layout/SvgIconTest.java+141 −0
@@ -0,0 +1,141 @@+/*+* The MIT License+*+* Copyright (c) 2020 CloudBees, Inc.+*+* Permission is hereby granted, free of charge, to any person obtaining a copy+* of this software and associated documentation files (the "Software"), to deal+* in the Software without restriction, including without limitation the rights+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell+* copies of the Software, and to permit persons to whom the Software is+* furnished to do so, subject to the following conditions:+*+* The above copyright notice and this permission notice shall be included in+* all copies or substantial portions of the Software.+*+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN+* THE SOFTWARE.+*/+package lib.layout;++import com.gargoylesoftware.htmlunit.ScriptResult;+import com.gargoylesoftware.htmlunit.html.HtmlPage;+import hudson.model.UnprotectedRootAction;+import org.junit.Rule;+import org.junit.Test;+import org.jvnet.hudson.test.Issue;+import org.jvnet.hudson.test.JenkinsRule;+import org.jvnet.hudson.test.TestExtension;++import javax.annotation.CheckForNull;+import java.util.concurrent.atomic.AtomicBoolean;++import static org.hamcrest.CoreMatchers.allOf;+import static org.hamcrest.CoreMatchers.containsString;+import static org.hamcrest.CoreMatchers.instanceOf;+import static org.hamcrest.CoreMatchers.not;+import static org.junit.Assert.assertFalse;+import static org.junit.Assert.assertThat;++public class SvgIconTest {++@Rule+public JenkinsRule j = new JenkinsRule();++@Test+@Issue("JENKINS-60920")+public void regularUsage() throws Exception {+TestRootAction testRootAction = j.jenkins.getExtensionList(UnprotectedRootAction.class).get(TestRootAction.class);++String desiredTooltip = "Hello world!";+testRootAction.tooltipContent = desiredTooltip;++HtmlPage p = j.createWebClient().goTo(testRootAction.getUrlName());+assertThat(p.getWebResponse().getContentAsString(), containsString(desiredTooltip));+}++@Test+@Issue("JENKINS-60920")+public void onlyQuotesAreEscaped() throws Exception {+TestRootAction testRootAction = j.jenkins.getExtensionList(UnprotectedRootAction.class).get(TestRootAction.class);++String pristineTooltip = "Special tooltip with double quotes \", simple quotes ', and html characters <>&.";++// Escaped twice, once per new h.xmlEscape then once per Jelly.+// But as the tooltip lib interprets HTML, it's fine, the tooltip displays the original values without interpreting them+String expectedTooltip = "Special tooltip with double quotes ", simple quotes ', and html characters &lt;&gt;&amp;.";+testRootAction.tooltipContent = pristineTooltip;++HtmlPage p = j.createWebClient().goTo(testRootAction.getUrlName());+assertThat(p.getWebResponse().getContentAsString(), allOf(+containsString(expectedTooltip),+not(containsString(pristineTooltip))+));+}++@Test+@Issue("SECURITY-1955")+public void preventXssFromTooltip() throws Exception {+TestRootAction testRootAction = j.jenkins.getExtensionList(UnprotectedRootAction.class).get(TestRootAction.class);++String desiredTooltip = "Tooltip with <img src=x onerror=alert(123)> payload included";+testRootAction.tooltipContent = desiredTooltip;++ensureXssIsPrevented(testRootAction, "Tooltip with", "<img");+}++private void ensureXssIsPrevented(TestRootAction testRootAction, String validationPart, String dangerousPart) throws Exception {+JenkinsRule.WebClient wc = j.createWebClient();++AtomicBoolean alertTriggered = new AtomicBoolean(false);+wc.setAlertHandler((p, s) -> {+alertTriggered.set(true);+});++HtmlPage page = wc.goTo(testRootAction.getUrlName());++// now it's a regular title, but without the correction, the tooltip will be triggered++// title field is modified by Yahoo tooltip, title attribute is set by the new code+ScriptResult controlResult = page.executeJavaScript("var s = document.querySelector('#test-panel svg'); s.title || s.getAttribute('title');");+Object jsControlResult = controlResult.getJavaScriptResult();+assertThat(jsControlResult, instanceOf(String.class));+String jsControlString = (String) jsControlResult;+assertThat("The title attribute is not populated", jsControlString, containsString(validationPart));++page.executeJavaScript("document.querySelector('#test-panel svg').dispatchEvent(new Event('mouseover'));");+wc.waitForBackgroundJavaScript(1000);+ScriptResult result = page.executeJavaScript("document.querySelector('#tt').innerHTML;");+Object jsResult = result.getJavaScriptResult();+assertThat(jsResult, instanceOf(String.class));+String jsResultString = (String) jsResult;++assertThat("XSS not prevented (content)", jsResultString, not(containsString(dangerousPart)));+assertFalse("XSS not prevented (alert)", alertTriggered.get());+}++@TestExtension()+public static class TestRootAction implements UnprotectedRootAction {+public String tooltipContent = "";++@Override+public @CheckForNull String getUrlName() {+return "test";+}++@Override+public @CheckForNull String getIconFileName() {+return null;+}++@Override+public @CheckForNull String getDisplayName() {+return null;+}+}+}
test/src/test/resources/lib/layout/SvgIconTest/TestRootAction/index.jelly+33 −0
@@ -0,0 +1,33 @@+<!--+The MIT License++Copyright (c) 2018, CloudBees, Inc.++Permission is hereby granted, free of charge, to any person obtaining a copy+of this software and associated documentation files (the "Software"), to deal+in the Software without restriction, including without limitation the rights+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell+copies of the Software, and to permit persons to whom the Software is+furnished to do so, subject to the following conditions:++The above copyright notice and this permission notice shall be included in+all copies or substantial portions of the Software.++THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN+THE SOFTWARE.+-->+<?jelly escape-by-default='true'?>+<j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout">+<l:layout title="Usage of svgIcon">+<l:main-panel>+<div id="test-panel">+<l:svgIcon href="${resURL}/images/material-icons/svg-sprite-action-symbol.svg#ic_search_24px" tooltip="${it.tooltipContent}" />+</div>+</l:main-panel>+</l:layout>+</j:jelly>
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2229
- WEBhttps://github.com/jenkinsci/jenkins/commit/fe4cbe03804d6240d0b58d0b2301ea9530a34916
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://jenkins.io/security/advisory/2020-08-12/#SECURITY-1955
- WEBhttp://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html
- WEBhttp://www.openwall.com/lists/oss-security/2020/08/12/4