Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote access API issue on ci.jenkins.io #3042

Closed
lemeurherve opened this issue Jul 10, 2022 · 8 comments
Closed

Remote access API issue on ci.jenkins.io #3042

lemeurherve opened this issue Jul 10, 2022 · 8 comments

Comments

@lemeurherve
Copy link
Member

Service(s)

ci.jenkins.io

Summary

As noted by @jetersen in #3013, .../api/json paths on ci.jenkins.io return empty JSON, while it's working on the other instances (infra.ci.jenkins.io, weekly.ci.jenkins.io, ...)

Reproduction steps

Go to https://ci.jenkins.io/job/Infra/job/plugin-site/job/master/api/json for example

@lemeurherve lemeurherve added the triage Incoming issues that need review label Jul 10, 2022
@dduportal
Copy link
Contributor

This behavior is intentional to avoid abusing bots as this is a public instance.

It is blocked at Apache level as per the following configuration: https://github.com/jenkins-infra/jenkins-infra/blob/dba2e7e5f4717e15936da84724651fc284851b51/dist/profile/manifests/jenkinscontroller.pp#L378-L385
There is a unit test that confirm this assumption: https://github.com/jenkins-infra/jenkins-infra/blob/dba2e7e5f4717e15936da84724651fc284851b51/spec/server/jenkins_controller/jenkins_controller_spec.rb#L39-L61

@dduportal
Copy link
Contributor

  • People who have SSH access to the ci.jenkins.io machine can open a direct tunnel to the Jenkins controller, bypassing Apache blocking and allowing the API to be used for punctual operation
  • I see the goal is to user shields.io: Consider removing embeddable-build-status plugin #3013 (comment) . Need to be discussed because of the consequences on the instance.

@timja
Copy link
Member

timja commented Jul 10, 2022

The issue was 5 years ago, possibly we can just try unblocking it? #965
jenkins-infra/jenkins-infra@a09652c

Otherwise if shields.io authenticates that would also fix it

@hervelemeur
Copy link

It can on self hosted instances: https://contributing.shields.io/tutorial-server-secrets.html
Not sure for their public instance.

@lemeurherve
Copy link
Member Author

AFAIU by discussing it with @dduportal this morning, these ../api/json paths were enough to take down/slow too much ci.jenkins.io, thus this blocking.

@jenkins-infra/security WDYT? Should these paths remain blocked or is Jenkins not vulnerable anymore on these paths?

@daniel-beck
Copy link

daniel-beck commented Jul 11, 2022

Can you block the depth parameter for these URLs?

@dduportal
Copy link
Contributor

Can you block the depth parameter for these URLs?

Yes, that should doable at Apache level I guess. But what would be the uses cases? Asking because to be worth the risk (in term or performances, security, maintenance pain), I vote for being able to underline the use cases.

For shields.io, the solution of a self hosted instance, allowed to reach the Jenkins instance directly is being raised: #3044.

@dduportal
Copy link
Contributor

Closing in favor of #3044 + #3045

@lemeurherve lemeurherve removed the triage Incoming issues that need review label Jul 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants