[SECURITY-1435]

jenkinsci · Jul 26, 2019 · a2e7f2b · a2e7f2b
1 parent d32dcfe
commit a2e7f2b
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 8 deletions.
diff --git a/pom.xml b/pom.xml
@@ -115,6 +115,12 @@
 			<version>${maven.test.version}</version>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.jenkins-ci</groupId>
+			<artifactId>test-annotations</artifactId>
+			<version>1.3</version>
+			<scope>test</scope>
+		</dependency>
 	</dependencies>
 
 	<build>
@@ -135,11 +141,21 @@
 				<artifactId>maven-hpi-plugin</artifactId>
 				<version>1.96</version>
 				<extensions>true</extensions>
+				<configuration>
+					<compatibleSinceVersion>0.15</compatibleSinceVersion>
+				</configuration>
 			</plugin>
             <plugin>
               <artifactId>maven-release-plugin</artifactId>
               <version>2.5</version>
-            </plugin>            
+            </plugin>
+			<plugin>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<configuration>
+					<source>1.7</source>
+					<target>1.7</target>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 

diff --git a/src/main/java/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapper.java b/src/main/java/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapper.java
@@ -47,6 +47,7 @@
 import hudson.tasks.Builder;
 import hudson.util.FormValidation;
 import hudson.util.RunList;
+import hudson.util.Secret;
 
 import java.io.IOException;
 import java.lang.reflect.Array;
@@ -189,7 +190,7 @@ public boolean tearDown(@SuppressWarnings("rawtypes") AbstractBuild bld, BuildLi
 				M2ReleaseArgumentsAction args = bld.getAction(M2ReleaseArgumentsAction.class);
 				if (args.isCloseNexusStage() && !args.isDryRun()) {
 					StageClient client = new StageClient(new URL(getDescriptor().getNexusURL()), getDescriptor()
-							.getNexusUser(), getDescriptor().getNexusPassword());
+							.getNexusUser(), getDescriptor().getNexusPassword().getPlainText());
 					try {
 						MavenModule rootModule = mmSet.getRootModule();
 						// TODO grab the version that we have just released...
@@ -475,7 +476,7 @@ public static class DescriptorImpl extends BuildWrapperDescriptor {
 		private boolean nexusSupport  = false;
 		private String  nexusURL      = null;
 		private String  nexusUser     = "deployment";                                    //$NON-NLS-1$
-		private String  nexusPassword = "deployment123";                                 //$NON-NLS-1$
+		private Secret  nexusPassword = Secret.fromString("deployment123");               //$NON-NLS-1$
 
 
 
@@ -503,7 +504,7 @@ public boolean configure(StaplerRequest staplerRequest, JSONObject json) throws
 					nexusURL = nexusURL + "/";
 				}
 				nexusUser = Util.fixEmpty(nexusParams.getString("nexusUser")); //$NON-NLS-1$
-				nexusPassword = nexusParams.getString("nexusPassword"); //$NON-NLS-1$
+				nexusPassword = Secret.fromString(nexusParams.getString("nexusPassword")); //$NON-NLS-1$
 			}
 			save();
 			return true; // indicate that everything is good so far
@@ -525,7 +526,7 @@ public String getNexusUser() {
 		}
 
 
-		public String getNexusPassword() {
+		public Secret getNexusPassword() {
 			return nexusPassword;
 		}
 
@@ -539,8 +540,8 @@ public boolean isNexusSupport() {
 		 */
 		public FormValidation doUrlCheck(@QueryParameter String urlValue, 
 		                                 final @QueryParameter String usernameValue,
-		                                 final @QueryParameter String passwordValue) throws IOException,
-		                                                                      ServletException {
+		                                 final @QueryParameter Secret passwordValue) throws IOException,
+		                                                                                    ServletException {
 			// this method can be used to check if a file exists anywhere in the file system,
 			// so it should be protected.
 			if (!Hudson.getInstance().hasPermission(Hudson.ADMINISTER)) {
@@ -564,7 +565,7 @@ public FormValidation doUrlCheck(@QueryParameter String urlValue,
 				if (!(url.getProtocol().equals("http") || url.getProtocol().equals("https"))) {
 					return FormValidation.error("protocol must be http or https");
 				}
-				StageClient client = new StageClient(new URL(testURL), usernameValue, passwordValue);
+				StageClient client = new StageClient(new URL(testURL), usernameValue, passwordValue.getPlainText());
 				client.checkAuthentication();
 			}
 			catch (MalformedURLException ex) {

diff --git a/src/test/java/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapperTest.java b/src/test/java/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapperTest.java
@@ -0,0 +1,55 @@
+package org.jvnet.hudson.plugins.m2release;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.commons.io.IOUtils;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.recipes.LocalData;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+public class M2ReleaseBuildWrapperTest {
+
+    private static final String PASSWORD = "mysecretpassword";
+    @Rule
+    public JenkinsRule jr = new JenkinsRule();
+
+
+    @Issue("SECURITY-1435")
+    @Test
+    @LocalData
+    public void testMigrationOfNexusPassword() throws Exception {
+        M2ReleaseBuildWrapper.DescriptorImpl d =
+                jr.jenkins.getDescriptorByType(M2ReleaseBuildWrapper.DescriptorImpl.class);
+        if (d == null) {
+            fail("could not find the descriptor");
+        }
+        assertThat("old password read ok", d.getNexusPassword(), notNullValue());
+        assertThat("old password migrated", d.getNexusPassword().getPlainText(), is(PASSWORD));
+
+        jr.configRoundtrip();
+
+        assertThat("round tripped password", d.getNexusPassword(), notNullValue());
+        assertThat("round tripped password", d.getNexusPassword().getPlainText(), is(PASSWORD));
+
+        File f = new File(jr.jenkins.root, M2ReleaseBuildWrapper.class.getName() + ".xml");
+        FileInputStream fis = new FileInputStream(f);
+        try {
+            String content = IOUtils.toString(fis, "UTF-8");
+            assertThat("password should be encrypted", content, not(containsString(PASSWORD)));
+        } finally {
+            fis.close();
+        }
+
+    }
+}
diff --git a/...udson/plugins/m2release/M2ReleaseBuildWrapperTest/testMigrationOfNexusPassword/config.xml b/...udson/plugins/m2release/M2ReleaseBuildWrapperTest/testMigrationOfNexusPassword/config.xml
@@ -0,0 +1,2 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<hudson/>
diff --git a/...testMigrationOfNexusPassword/org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml b/...testMigrationOfNexusPassword/org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml
@@ -0,0 +1,7 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper_-DescriptorImpl plugin="m2release@0.14.0">
+    <nexusSupport>true</nexusSupport>
+    <nexusURL>http://localhost:99/nexus/</nexusURL>
+    <nexusUser>myusername</nexusUser>
+    <nexusPassword>mysecretpassword</nexusPassword>
+</org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper_-DescriptorImpl>