[SECURITY-440]

pom.xml

@@ -66,8 +66,8 @@
   </scm>
 
   <properties>
-    <jenkins.version>1.609</jenkins.version>
-    <java.level>6</java.level>
+    <jenkins.version>1.625</jenkins.version>
+    <java.level>7</java.level>
   </properties>
 
   <repositories>
@@ -95,10 +95,16 @@
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>credentials</artifactId>
-      <version>2.1.0</version>
+      <version>2.1.17</version>
     </dependency>
     <!-- jenkins dependencies -->
     <!-- test dependencies -->
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>cloudbees-folder</artifactId>
+      <version>6.4</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
 </project>

src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java

@@ -26,27 +26,31 @@
 import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.CredentialsScope;
-import com.cloudbees.plugins.credentials.CredentialsSnapshotTaker;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.DescriptorExtensionList;
 import hudson.Extension;
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
+import hudson.model.Items;
 import hudson.remoting.Channel;
 import hudson.util.Secret;
 import java.io.File;
 import java.io.IOException;
 import java.io.ObjectStreamException;
 import java.io.Serializable;
 import java.io.StringReader;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
+import hudson.util.XStream2;
 import jenkins.model.Jenkins;
 import net.jcip.annotations.GuardedBy;
 import org.apache.commons.io.FileUtils;
@@ -148,16 +152,6 @@ private synchronized Object readResolve() throws ObjectStreamException {
         return this;
     }
 
-    private Object writeReplace() {
-        if (/* XStream */Channel.current() == null) {
-            return this;
-        }
-        if (privateKeySource == null || privateKeySource.isSnapshotSource()) {
-            return this;
-        }
-        return CredentialsProvider.snapshot(this);
-    }
-
     /**
      * {@inheritDoc}
      */
@@ -290,7 +284,9 @@ public long getPrivateKeysLastModified() {
          *
          * @return {@code true} if and only if the source is self contained.
          * @since 1.7
+         * @deprecated no more used since FileOnMaster- and Users- PrivateKeySource are deprecated too
          */
+        @Deprecated
         public boolean isSnapshotSource() {
             return false;
         }
@@ -371,7 +367,9 @@ public String getDisplayName() {
 
     /**
      * Let the user reference a file on the disk.
+     * @deprecated This approach has security vulnerability and should be migrated to {@link DirectEntryPrivateKeySource}
      */
+    @Deprecated
     public static class FileOnMasterPrivateKeySource extends PrivateKeySource {
 
         /**
@@ -394,8 +392,6 @@ public static class FileOnMasterPrivateKeySource extends PrivateKeySource {
          */
         private transient volatile long nextCheckLastModified;
 
-
-        @DataBoundConstructor
         public FileOnMasterPrivateKeySource(String privateKeyFile) {
             this.privateKeyFile = privateKeyFile;
         }
@@ -436,7 +432,12 @@ private Object readResolve() {
                 // this is a borked upgrade, not actually the file name but is actually the key contents
                 return new DirectEntryPrivateKeySource(privateKeyFile);
             }
-            return this;
+
+            Jenkins.getActiveInstance().checkPermission(Jenkins.RUN_SCRIPTS);
+
+            LOGGER.log(Level.INFO, "SECURITY-440: Migrating FileOnMasterPrivateKeySource to DirectEntryPrivateKeySource");
+            // read the content of the file and then migrate to Direct
+            return new DirectEntryPrivateKeySource(getPrivateKeys());
         }
 
         @Override
@@ -453,26 +454,13 @@ public long getPrivateKeysLastModified() {
             }
             return lastModified;
         }
-
-        /**
-         * {@inheritDoc}
-         */
-        @Extension
-        public static class DescriptorImpl extends PrivateKeySourceDescriptor {
-
-            /**
-             * {@inheritDoc}
-             */
-            @Override
-            public String getDisplayName() {
-                return Messages.BasicSSHUserPrivateKey_FileOnMasterPrivateKeySourceDisplayName();
-            }
-        }
     }
 
     /**
      * Let the user
+     * @deprecated This approach has security vulnerability and should be migrated to {@link DirectEntryPrivateKeySource}
      */
+    @Deprecated
     public static class UsersPrivateKeySource extends PrivateKeySource {
 
         /**
@@ -490,10 +478,6 @@ public static class UsersPrivateKeySource extends PrivateKeySource {
          */
         private transient volatile long nextCheckLastModified;
 
-        @DataBoundConstructor
-        public UsersPrivateKeySource() {
-        }
-
         private List<File> files() {
             List<File> files = new ArrayList<File>();
             File sshHome = new File(new File(System.getProperty("user.home")), ".ssh");
@@ -535,51 +519,27 @@ public long getPrivateKeysLastModified() {
             return lastModified;
         }
 
-        /**
-         * {@inheritDoc}
-         */
-        @Extension
-        public static class DescriptorImpl extends PrivateKeySourceDescriptor {
+        private Object readResolve() {
+            Jenkins.getActiveInstance().checkPermission(Jenkins.RUN_SCRIPTS);
 
-            /**
-             * {@inheritDoc}
-             */
-            @Override
-            public String getDisplayName() {
-                return Messages.BasicSSHUserPrivateKey_UsersPrivateKeySourceDisplayName();
-            }
+            LOGGER.log(Level.INFO, "SECURITY-440: Migrating UsersPrivateKeySource to DirectEntryPrivateKeySource");
+            // read the content of the file and then migrate to Direct
+            return new DirectEntryPrivateKeySource(getPrivateKeys());
         }
     }
 
-    /**
-     * @since 1.7
-     */
-    @Extension
-    public static class CredentialsSnapshotTakerImpl extends CredentialsSnapshotTaker<SSHUserPrivateKey> {
-
-        /**
-         * {@inheritDoc}
-         */
-        @Override
-        public Class<SSHUserPrivateKey> type() {
-            return SSHUserPrivateKey.class;
-        }
-
-        /**
-         * {@inheritDoc}
-         */
-        @Override
-        public SSHUserPrivateKey snapshot(SSHUserPrivateKey credentials) {
-            if (credentials instanceof BasicSSHUserPrivateKey) {
-                final PrivateKeySource keySource = ((BasicSSHUserPrivateKey) credentials).getPrivateKeySource();
-                if (keySource.isSnapshotSource()) {
-                    return credentials;
-                }
-            }
-            final Secret passphrase = credentials.getPassphrase();
-            return new BasicSSHUserPrivateKey(credentials.getScope(), credentials.getId(), credentials.getUsername(),
-                    new DirectEntryPrivateKeySource(credentials.getPrivateKeys()),
-                    passphrase == null ? null : passphrase.getEncryptedValue(), credentials.getDescription());
+    static {
+        try {
+            // the critical field allow the permission check to make the XML read to fail completely in case of violation
+            // TODO: Remove reflection once baseline is updated past 2.85.
+            Method m = XStream2.class.getMethod("addCriticalField", Class.class, String.class);
+            m.invoke(Items.XSTREAM2, BasicSSHUserPrivateKey.class, "privateKeySource");
+        } catch (IllegalAccessException e) {
+            throw new ExceptionInInitializerError(e);
+        } catch (InvocationTargetException e) {
+            throw new ExceptionInInitializerError(e);
+        } catch (NoSuchMethodException e) {
+            throw new ExceptionInInitializerError(e);
         }
     }
 }

src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/Messages.properties

@@ -22,6 +22,4 @@
 # THE SOFTWARE.
 #
 BasicSSHUserPrivateKey.DirectEntryPrivateKeySourceDisplayName=Enter directly
-BasicSSHUserPrivateKey.FileOnMasterPrivateKeySourceDisplayName=From a file on Jenkins master
-BasicSSHUserPrivateKey.UsersPrivateKeySourceDisplayName=From the Jenkins master ~/.ssh
-BasicSSHUserPrivateKey.DisplayName=SSH Username with private key
+BasicSSHUserPrivateKey.DisplayName=SSH Username with private key

src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/Messages_de.properties

@@ -22,6 +22,4 @@
 # THE SOFTWARE.
 #
 BasicSSHUserPrivateKey.DirectEntryPrivateKeySourceDisplayName=Direkt eingeben
-BasicSSHUserPrivateKey.FileOnMasterPrivateKeySourceDisplayName=Aus einer Datei auf dem Jenkins Master
-BasicSSHUserPrivateKey.UsersPrivateKeySourceDisplayName=Aus ~/.ssh des Jenkins Masters
-BasicSSHUserPrivateKey.DisplayName=SSH Benutzername und privater Schl\u00fcssel
+BasicSSHUserPrivateKey.DisplayName=SSH Benutzername und privater Schl\u00fcssel

src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/Messages_ja.properties

@@ -22,6 +22,4 @@
 # THE SOFTWARE.
 #
 BasicSSHUserPrivateKey.DirectEntryPrivateKeySourceDisplayName=\u76f4\u63a5\u5165\u529b
-BasicSSHUserPrivateKey.FileOnMasterPrivateKeySourceDisplayName=Jenkins\u30de\u30b9\u30bf\u30fc\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u304b\u3089
-BasicSSHUserPrivateKey.UsersPrivateKeySourceDisplayName=Jenkins\u30de\u30b9\u30bf\u30fc\u4e0a\u306e~/.ssh\u304b\u3089
-BasicSSHUserPrivateKey.DisplayName=SSH \u30e6\u30fc\u30b6\u30fc\u540d\u3068\u79d8\u5bc6\u9375
+BasicSSHUserPrivateKey.DisplayName=SSH \u30e6\u30fc\u30b6\u30fc\u540d\u3068\u79d8\u5bc6\u9375

src/test/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKeyTest.java

@@ -51,24 +51,6 @@ public class BasicSSHUserPrivateKeyTest {
 
     @Rule public JenkinsRule r = new JenkinsRule();
 
-    @Test public void masterKeysOnSlave() throws Exception {
-        FilePath keyfile = r.jenkins.getRootPath().child("key");
-        keyfile.write("stuff", null);
-        SSHUserPrivateKey key = new BasicSSHUserPrivateKey(CredentialsScope.SYSTEM, "mycreds", "git", new BasicSSHUserPrivateKey.FileOnMasterPrivateKeySource(keyfile.getRemote()), null, null);
-        assertEquals("[stuff]", key.getPrivateKeys().toString());
-        // TODO would be more interesting to use a Docker fixture to demonstrate that the file load is happening only from the master side
-        assertEquals("[stuff]", r.createOnlineSlave().getChannel().call(new LoadPrivateKeys(key)));
-    }
-    private static class LoadPrivateKeys extends MasterToSlaveCallable<String,Exception> {
-        private final SSHUserPrivateKey key;
-        LoadPrivateKeys(SSHUserPrivateKey key) {
-            this.key = key;
-        }
-        @Override public String call() throws Exception {
-            return key.getPrivateKeys().toString();
-        }
-    }
-
     @LocalData
     @Test
     public void readOldCredentials() throws Exception {

src/test/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKeyTest_SEC440.java

@@ -0,0 +1,63 @@
+package com.cloudbees.jenkins.plugins.sshcredentials.impl;
+
+import com.cloudbees.hudson.plugins.folder.Folder;
+import hudson.FilePath;
+import hudson.cli.CLICommandInvoker;
+import hudson.cli.UpdateJobCommand;
+import hudson.model.Job;
+import jenkins.model.Jenkins;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.recipes.LocalData;
+
+import static hudson.cli.CLICommandInvoker.Matcher.failedWith;
+import static hudson.cli.CLICommandInvoker.Matcher.succeeded;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+
+//TODO merge it into BasicSSHUserPrivateKeyTest after security patch
+public class BasicSSHUserPrivateKeyTest_SEC440 {
+
+    @Rule
+    public JenkinsRule r = new JenkinsRule();
+
+    {r.timeout = 0;}
+
+    @Test
+    @Issue("SECURITY-440")
+    @LocalData("updateJob")
+    public void userWithoutRunScripts_cannotMigrateDangerousPrivateKeySource() throws Exception {
+        Folder folder = r.jenkins.createProject(Folder.class, "folder1");
+
+        FilePath updateFolder = r.jenkins.getRootPath().child("update_folder.xml");
+
+        { // as user with just configure, you cannot migrate
+            CLICommandInvoker.Result result = new CLICommandInvoker(r, new UpdateJobCommand())
+                    .authorizedTo(Jenkins.READ, Job.READ, Job.CONFIGURE)
+                    .withStdin(updateFolder.read())
+                    .invokeWithArgs("folder1");
+
+            assertThat(result.stderr(), containsString("user is missing the Overall/RunScripts permission"));
+            assertThat(result, failedWith(-1));
+
+            // config file not touched
+            String configFileContent = folder.getConfigFile().asString();
+            assertThat(configFileContent, not(containsString("FileOnMasterPrivateKeySource")));
+            assertThat(configFileContent, not(containsString("BasicSSHUserPrivateKey")));
+        }
+        { // but as admin with RUN_SCRIPTS, you can
+            CLICommandInvoker.Result result = new CLICommandInvoker(r, new UpdateJobCommand())
+                    .authorizedTo(Jenkins.ADMINISTER)
+                    .withStdin(updateFolder.read())
+                    .invokeWithArgs("folder1");
+
+            assertThat(result, succeeded());
+            String configFileContent = folder.getConfigFile().asString();
+            assertThat(configFileContent, containsString("BasicSSHUserPrivateKey"));
+            assertThat(configFileContent, not(containsString("FileOnMasterPrivateKeySource")));
+        }
+    }
+}

src/test/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKeyTest_SEC440/updateJob/update_folder.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<com.cloudbees.hudson.plugins.folder.Folder plugin="[email protected]">
+  <actions/>
+  <description></description>
+  <properties>
+    <com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider_-FolderCredentialsProperty>
+      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
+        <entry>
+          <com.cloudbees.plugins.credentials.domains.Domain plugin="[email protected]">
+            <specifications/>
+          </com.cloudbees.plugins.credentials.domains.Domain>
+          <java.util.concurrent.CopyOnWriteArrayList>
+            <com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey plugin="[email protected]">
+              <id>From SSH</id>
+              <username>from_ssh</username>
+              <privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$UsersPrivateKeySource"/>
+            </com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
+          </java.util.concurrent.CopyOnWriteArrayList>
+        </entry>
+      </domainCredentialsMap>
+    </com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider_-FolderCredentialsProperty>
+  </properties>
+  <folderViews class="com.cloudbees.hudson.plugins.folder.views.DefaultFolderViewHolder">
+    <views>
+      <hudson.model.AllView>
+        <owner class="com.cloudbees.hudson.plugins.folder.Folder" reference="../../../.."/>
+        <name>All</name>
+        <filterExecutors>false</filterExecutors>
+        <filterQueue>false</filterQueue>
+        <properties class="hudson.model.View$PropertyList"/>
+      </hudson.model.AllView>
+    </views>
+    <tabBar class="hudson.views.DefaultViewsTabBar"/>
+  </folderViews>
+  <healthMetrics>
+    <com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric>
+      <nonRecursive>false</nonRecursive>
+    </com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric>
+  </healthMetrics>
+  <icon class="com.cloudbees.hudson.plugins.folder.icons.StockFolderIcon"/>
+</com.cloudbees.hudson.plugins.folder.Folder>