Skip to content

[JENKINS-63254][JENKINS-47101] Insecure Groovy String Interpolation Warnings #370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 81 commits into from
Nov 6, 2020
Merged

[JENKINS-63254][JENKINS-47101] Insecure Groovy String Interpolation Warnings #370

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
81 commits
Select commit Hold shift + click to select a range
009bad3
added unit test showing leaked password
Jul 14, 2020
52f6f4b
working PoC
Jul 24, 2020
75c7406
add listener to report errors to pipeline output
Jul 24, 2020
191f08e
PoC 2 for groovy interpolation interception. Does not require core mods
Jul 28, 2020
ccf9040
Wrap EnvironmentExpander and EnvVars together for parseArgs
Jul 31, 2020
5c53b94
use incrementals, revert jenkins version
Jul 31, 2020
c5ef8ad
code cleanup
Jul 31, 2020
1a7793d
catch null arguments
Jul 31, 2020
0829025
Make unit test windows friendly. Remove dollar sign from password
Jul 31, 2020
18653c0
update to use newer implementation of EnvironmentExpander
Aug 4, 2020
5ba9b2a
Use updated api in EnvironmentExpander
Aug 5, 2020
aeebf17
address review comments
Aug 27, 2020
02804b3
add factory method, add report action, and summary page
Sep 1, 2020
20d781d
change from table to list, change icon
Sep 2, 2020
b404458
update jelly formatting, update unit test
Sep 5, 2020
22c4ae3
Check for empty body
Sep 8, 2020
41984a6
Update body check, support legacy stage behavior
Sep 10, 2020
d4759b1
add check for empty args
Sep 10, 2020
4a98072
fix variable clashing
Sep 10, 2020
8bdc019
address review comments
Sep 10, 2020
e975453
Refactor Action name, generate action only when there are secrets exp…
Sep 10, 2020
d4765a4
update null environment variable test
Sep 10, 2020
341972a
check for "bat" args on windows
Sep 11, 2020
ade619f
avoid reflective API
Sep 11, 2020
79d255a
address review comments
Sep 11, 2020
0abb665
address review comments
Sep 15, 2020
7a5d0c7
update jelly file path, fix localization error with parenthesis
Sep 15, 2020
506d5b3
add placeholder explanation page for jelly
Sep 15, 2020
93b018b
more refactoring of envwatcher
Sep 15, 2020
065b129
update step-api dependency
Sep 15, 2020
4903d4e
support detecting interpolation in describables
Sep 16, 2020
cc5b3b0
Track groovy strings instead of using InterpolatedSecretsDetector.
Sep 18, 2020
8517f12
added InterpolatedUninstantiatedDescribable
Sep 21, 2020
f12f226
add null checks for environmentexpander and envars
Sep 21, 2020
9a31bce
Merge remote-tracking branch 'upstream/master' into interpolation-v2
Sep 22, 2020
6e8b5eb
Refactor ArgumentsActionImpl using EnvironmentExpander and removing s…
Sep 23, 2020
eaa4c90
set sensitiveVariables as field instead of recursively passing through
Sep 23, 2020
70c4c22
Move interpolatedStrings into parseArgs
Sep 23, 2020
8a799dc
Remove duplicate code
Sep 23, 2020
1afab59
no metaStep returns NamedArgsAndClosure
Sep 25, 2020
dbe7d8f
Update error logging
Sep 25, 2020
902ab29
add windows support for unit test
Sep 25, 2020
6a39c5c
report step name and arguments that log a warning
Sep 28, 2020
ec29d4b
Handle multiple sensitive variables in one argument
Sep 28, 2020
97b1535
fix windows tests
Sep 28, 2020
b34e5fd
Merge remote-tracking branch 'upstream/master' into interpolation-v2
Sep 29, 2020
b0d183b
update documentation
Sep 29, 2020
b846c44
refactoring
Oct 1, 2020
4f9997d
fix jelly output
Oct 1, 2020
8506214
fix unit tests, some clean up
Oct 1, 2020
e6284e9
add redirect to console warning
Oct 1, 2020
ef157e9
address review comments
Oct 8, 2020
00d220b
simplify parseArgs
Oct 8, 2020
a8df396
centralize parsing of NamedArgsAndClosure
Oct 12, 2020
7c8022b
Sort arguments in step signature
Oct 12, 2020
a890c43
Merge remote-tracking branch 'upstream/master' into interpolation-v2
Oct 12, 2020
36050b4
fix comments
Oct 13, 2020
163e7cb
make step arguments print out in order they were added
Oct 14, 2020
3740ed1
update workflow-step-api and credentials-binding to release versions
Oct 15, 2020
a20db3d
update bom
Oct 19, 2020
b14f8cf
bump bom to v15
Oct 19, 2020
d489f73
address review comments
Oct 19, 2020
11b12ba
make getStepSignature recursive
Oct 20, 2020
bd0dfd2
make recursion more generic, add unit test for getStepSignature()
Oct 20, 2020
86cf9f3
parse UninstantiatedDescribable in getStepSignature
Oct 20, 2020
a24ffe0
control warning behavior with system property
Oct 20, 2020
cd43425
update unit tests with new UninstantiatedDescribable output
Oct 20, 2020
ac2ec02
Merge remote-tracking branch 'upstream/master' into interpolation-v2
Oct 27, 2020
41e50e6
address review comments
Nov 2, 2020
3e54d36
make InterpolatedWarnings.run transient field
Nov 2, 2020
b52438d
update UninstantiatedDescribable $class toString
Nov 3, 2020
49695e0
update InterpolatedSecretesAction onLoad and onAttached
Nov 3, 2020
7d8672c
Update getStepSignature to better reflect pipeline input
Nov 5, 2020
611326c
Remove printing of step signature
Nov 5, 2020
96c2f30
remove setting the model for the Uninstantiated Describable
Nov 5, 2020
7811148
Make sure password parameters are masked in step arguments
dwnusbaum Nov 5, 2020
f7798af
Remove InterpolatedSecretsActionTest.java
dwnusbaum Nov 5, 2020
40eb64a
Align workflow-support tests jar with incremental version
dwnusbaum Nov 5, 2020
bc8d268
Update to latest workflow-support incremental
dwnusbaum Nov 5, 2020
e173261
Merge remote-tracking branch 'upstream/master' into interpolation-v2
Nov 5, 2020
4524d26
update pom, update changelog to prepare for release
Nov 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/main/java/org/jenkinsci/plugins/workflow/cps/DSL.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -425,9 +425,10 @@ protected Object invokeDescribable(String symbol, Object _args) {
StepDescriptor metaStep = metaSteps.size()==1 ? metaSteps.get(0) : null;

boolean singleArgumentOnly = false;
DescribableModel<?> symbolModel = null;
if (metaStep != null) {
Descriptor symbolDescriptor = SymbolLookup.get().findDescriptor((Class)(metaStep.getMetaStepArgumentType()), symbol);
DescribableModel<?> symbolModel = DescribableModel.of(symbolDescriptor.clazz);
symbolModel = DescribableModel.of(symbolDescriptor.clazz);

singleArgumentOnly = symbolModel.hasSingleRequiredParameter() && symbolModel.getParameters().size() == 1;
}
Expand All @@ -436,6 +437,7 @@ protected Object invokeDescribable(String symbol, Object _args) {
NamedArgsAndClosure args = parseArgs(_args, metaStep!=null && metaStep.takesImplicitBlockArgument(),
UninstantiatedDescribable.ANONYMOUS_KEY, singleArgumentOnly, new HashSet<>());
UninstantiatedDescribable ud = new UninstantiatedDescribable(symbol, null, args.namedArgs);
ud.setModel(symbolModel);
Copy link
Author

@car-roll car-roll Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needed to set the DescribableModel in order for hasSoleRequiredArgument to work.


if (metaStep==null) {
// there's no meta-step associated with it, so this symbol is not executable.
Expand Down
48 changes: 36 additions & 12 deletions src/main/java/org/jenkinsci/plugins/workflow/cps/view/InterpolatedSecretsAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,14 @@

import hudson.model.Run;
import jenkins.model.RunAction2;
import org.jenkinsci.plugins.structs.describable.DescribableModel;
import org.jenkinsci.plugins.structs.describable.DescribableParameter;
import org.jenkinsci.plugins.structs.describable.UninstantiatedDescribable;
import org.jenkinsci.plugins.workflow.actions.ArgumentsAction;
import org.jenkinsci.plugins.workflow.flow.FlowExecutionOwner;
import org.jenkinsci.plugins.workflow.graph.FlowNode;
import org.jenkinsci.plugins.workflow.graph.StepNode;
import org.jenkinsci.plugins.workflow.steps.StepDescriptor;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.export.Exported;
Expand Down Expand Up @@ -117,32 +121,48 @@ public static class InterpolatedWarnings {
@Exported
public String getStepSignature() {
Map<String, Object> stepArguments;
FlowNode node;
try {
stepArguments = getStepArguments(run, nodeId);
node = getFlowNode(run, nodeId);
ArgumentsAction argumentsAction = node.getPersistentAction(ArgumentsAction.class);
if (argumentsAction == null) {
throw new IllegalStateException("null arguments action");
}
stepArguments = argumentsAction.getArguments();
} catch (IllegalStateException e) {
return "Unable to construct " + stepName + ": " + e.getMessage();
}

if (node instanceof StepNode) {
StepDescriptor descriptor = ((StepNode)node).getDescriptor();
if (descriptor != null && descriptor.isMetaStep()) {
DescribableParameter p = DescribableModel.of(descriptor.clazz).getFirstRequiredParameter();
if (p != null) {
Object arg = ArgumentsAction.getResolvedArguments(node).get(p.getName());
if (arg instanceof UninstantiatedDescribable) {
return argumentToString(arg);
} else {
return stepName + "(" + argumentToString(arg) + ")";
Copy link
Author

@car-roll car-roll Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know in the case of ArchiveArtifacts the inner argument was an UninstantiatedDescribable with a symbol so that it would print out the signature correctly. What I was less sure about, was if this was always going to be the case in these scenarios where there is an outer CoreStep.

}
}
}
}

return stepArguments.entrySet().stream()
.map(InterpolatedSecretsAction::argumentToString)
.collect(Collectors.joining(", ", stepName + "(", ")"));
}

@Nonnull
private Map<String, Object> getStepArguments(Run run, String nodeId) throws IllegalStateException {
private FlowNode getFlowNode(Run run, String nodeId) {
String failReason;
if (run instanceof FlowExecutionOwner.Executable) {
try {
FlowExecutionOwner owner = ((FlowExecutionOwner.Executable) run).asFlowExecutionOwner();
if (owner != null) {
FlowNode node = owner.get().getNode(nodeId);
if (node != null) {
ArgumentsAction argumentsAction = node.getPersistentAction(ArgumentsAction.class);
if (argumentsAction != null) {
return argumentsAction.getArguments();
} else {
failReason = "null arguments action";
}
return node;
} else {
failReason = "null flow node";
}
Expand All @@ -162,7 +182,6 @@ private Map<String, Object> getStepArguments(Run run, String nodeId) throws Ille
public List<String> getInterpolatedVariables() {
return interpolatedVariables;
}

}

private static String argumentToString(Object arg) {
Expand Down Expand Up @@ -200,9 +219,14 @@ private static String argumentToString(Object arg) {
UninstantiatedDescribable ud = (UninstantiatedDescribable) arg;
Map<String, ?> udArgs = ud.getArguments();
if (ud.getSymbol() != null) {
valueString = udArgs.entrySet().stream()
.map(InterpolatedSecretsAction::argumentToString)
.collect(Collectors.joining(", ", ud.getSymbol() + "(", ")"));
String prefix = ud.getSymbol() + "(";
if (ud.hasSoleRequiredArgument() && udArgs.size() == 1) {
valueString = prefix + argumentToString(udArgs.values().iterator().next()) + ")";
} else {
valueString = udArgs.entrySet().stream()
.map(InterpolatedSecretsAction::argumentToString)
.collect(Collectors.joining(", ", prefix, ")"));
}
} else {
if (udArgs.isEmpty()) {
valueString = "[$class: " + ud.getKlass() + "]";
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/org/jenkinsci/plugins/workflow/cps/DSLTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -485,7 +485,7 @@ public void namedSoleParamForStep() throws Exception {
List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
MatcherAssert.assertThat(warnings.size(), is(1));
InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
MatcherAssert.assertThat(stepWarning.getStepSignature(), is("archiveArtifacts(delegate: archiveArtifacts(<anonymous>: ${PASSWORD}))"));
MatcherAssert.assertThat(stepWarning.getStepSignature(), is("archiveArtifacts(${PASSWORD})"));
MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), is(Arrays.asList("PASSWORD")));
}

Expand Down