-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY-2053] Prevent plain text credentials of Basic/Digest authentication #105
Merged
basil
merged 13 commits into
jenkinsci:master
from
offa:security-2053-remove_basicdigestauth
Aug 1, 2022
Merged
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
6a41582
[SECURITY-2053] Avoid serialization of Basic/Digest authentication fi…
offa fdf1355
Remove unused help files
offa 7417ea8
Restore BasicDigestAuthentication, transient basicDigestAuthentications
offa 29ff54c
Remove import
offa 8638524
Remove deprecated authentications from fill items
offa 8c5df02
Mark version < 1.16 as incompatible
offa 36eb9f0
Merge remote-tracking branch 'origin/master' into security-2053-remov…
basil d1245bd
deprecation fixups
basil fa49be7
Remove basicDigestAuthentications from available authentications
offa 7c94bf9
Add readResolve() and update test
offa 5bbf87d
Remove usages of deprecated getter / setter
offa f69e060
fix formatting
basil 9a9df4d
clear list if non-null
basil File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,7 +28,11 @@ | |
@Extension | ||
public class HttpRequestGlobalConfig extends GlobalConfiguration { | ||
|
||
private List<BasicDigestAuthentication> basicDigestAuthentications = new ArrayList<>(); | ||
/** | ||
* @deprecated removed without replacement | ||
*/ | ||
@Deprecated | ||
private transient List<BasicDigestAuthentication> basicDigestAuthentications = new ArrayList<>(); | ||
private List<FormAuthentication> formAuthentications = new ArrayList<>(); | ||
|
||
private static final XStream2 XSTREAM2 = new XStream2(); | ||
|
@@ -78,10 +82,18 @@ public static HttpRequestGlobalConfig get() { | |
return GlobalConfiguration.all().get(HttpRequestGlobalConfig.class); | ||
} | ||
|
||
/** | ||
* @deprecated removed without replacement | ||
*/ | ||
@Deprecated | ||
public List<BasicDigestAuthentication> getBasicDigestAuthentications() { | ||
offa marked this conversation as resolved.
Show resolved
Hide resolved
|
||
return basicDigestAuthentications; | ||
} | ||
|
||
/** | ||
* @deprecated removed without replacement | ||
*/ | ||
@Deprecated | ||
public void setBasicDigestAuthentications( | ||
offa marked this conversation as resolved.
Show resolved
Hide resolved
|
||
List<BasicDigestAuthentication> basicDigestAuthentications) { | ||
this.basicDigestAuthentications = basicDigestAuthentications; | ||
|
@@ -97,10 +109,7 @@ public void setFormAuthentications( | |
} | ||
|
||
public List<Authenticator> getAuthentications() { | ||
List<Authenticator> list = new ArrayList<>(); | ||
list.addAll(basicDigestAuthentications); | ||
list.addAll(formAuthentications); | ||
return list; | ||
return new ArrayList<>(formAuthentications); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The project is configured to use tabs (Intelij + Eclipse settings). :-( |
||
} | ||
|
||
public Authenticator getAuthentication(String keyName) { | ||
|
@@ -111,4 +120,11 @@ public Authenticator getAuthentication(String keyName) { | |
} | ||
return null; | ||
} | ||
|
||
protected Object readResolve() { | ||
if (this.basicDigestAuthentications != null) { | ||
this.basicDigestAuthentications = new ArrayList<>(); | ||
} | ||
return this; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usage of deprecated field still present in
HttpRequestGlobalConfig#getAuthentications
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have removed the usage from
getAuthentications()
. The other two usages are getter and setter.What is the best scenario for those? If getter / setter are deprecated but still available I'd suggest keeping the related test cases too (it's still some kind of public API), or remove getter, setter, field (?) and related tests altogether.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove all callers of deprecated methods but retain the methods for binary compatibility