Merge branch 'master' into navigate-back-to-build-artifact

Author: LakshyaBagani

.github/workflows/changelog.yml

@@ -44,15 +44,15 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'jenkinsci'
     steps:
-      - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: generate-token
         with:
           app-id: ${{ secrets.JENKINS_CHANGELOG_UPDATER_APP_ID }}
           private-key: ${{ secrets.JENKINS_CHANGELOG_UPDATER_PRIVATE_KEY }}
           owner: jenkins-infra
           repositories: jenkins.io
       - name: Check out
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - name: Publish jenkins.io changelog draft

.github/workflows/publish-release-artifact.yml

@@ -16,9 +16,9 @@ jobs:
       is-lts: ${{ steps.set-version.outputs.is-lts }}
       is-rc: ${{ steps.set-version.outputs.is-rc }}
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Set up JDK 21
-        uses: actions/setup-java@4e7e684fbb6e33f88ecb2cf1e6b3797739cf499b #v 5.0.0
+        uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e #v 5.0.0
         with:
           distribution: "temurin"
           java-version: 21

.github/workflows/run-since-updater.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'jenkinsci' }}
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - name: Run update-since-todo.py
@@ -29,7 +29,7 @@ jobs:
         id: run_script
         shell: bash
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Fill in since annotations

bom/pom.xml

@@ -119,7 +119,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>commons-io</groupId>
         <artifactId>commons-io</artifactId>
-        <version>2.20.0</version>
+        <version>2.21.0</version>
       </dependency>
       <dependency>
         <groupId>commons-lang</groupId>

cli/pom.xml

@@ -53,7 +53,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.82</version>
+      <version>1.83</version>
       <optional>true</optional>
     </dependency>
     <dependency>

cli/src/main/java/hudson/cli/PlainCLIProtocol.java

@@ -153,15 +153,14 @@ public void run() {
                 }
             } catch (ClosedChannelException x) {
                 LOGGER.log(Level.FINE, null, x);
-                side.handleClose();
             } catch (IOException x) {
                 LOGGER.log(Level.WARNING, null, flightRecorder.analyzeCrash(x, "broken stream"));
             } catch (ReadPendingException x) {
                 // in case trick in CLIAction does not work
                 LOGGER.log(Level.FINE, null, x);
-                side.handleClose();
             } catch (RuntimeException x) {
                 LOGGER.log(Level.WARNING, null, x);
+            } finally {
                 side.handleClose();
             }
         }

core/src/main/java/hudson/Functions.java

@@ -203,6 +203,12 @@ public class Functions {
     private static final AtomicLong iota = new AtomicLong();
     private static Logger LOGGER = Logger.getLogger(Functions.class.getName());
 
+    /**
+     * Escape hatch to use the non-recursive f:password masking.
+     */
+    private static /* non-final */ boolean NON_RECURSIVE_PASSWORD_MASKING_PERMISSION_CHECK = SystemProperties.getBoolean(Functions.class.getName() + ".nonRecursivePasswordMaskingPermissionCheck");
+
+
     public Functions() {
     }
 
@@ -2252,13 +2258,38 @@ public String getPasswordValue(Object o) {
         StaplerRequest2 req = Stapler.getCurrentRequest2();
         if (o instanceof Secret || Secret.BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE) {
             if (req != null) {
-                Item item = req.findAncestorObject(Item.class);
-                if (item != null && !item.hasPermission(Item.CONFIGURE)) {
-                    return "********";
-                }
-                Computer computer = req.findAncestorObject(Computer.class);
-                if (computer != null && !computer.hasPermission(Computer.CONFIGURE)) {
-                    return "********";
+                if (NON_RECURSIVE_PASSWORD_MASKING_PERMISSION_CHECK) {
+                    Item item = req.findAncestorObject(Item.class);
+                    if (item != null && !item.hasPermission(Item.CONFIGURE)) {
+                        return "********";
+                    }
+                    Computer computer = req.findAncestorObject(Computer.class);
+                    if (computer != null && !computer.hasPermission(Computer.CONFIGURE)) {
+                        return "********";
+                    }
+                } else {
+                    List<Ancestor> ancestors = req.getAncestors();
+                    for (Ancestor ancestor : Iterators.reverse(ancestors)) {
+                        Object type = ancestor.getObject();
+                        if (type instanceof Item item) {
+                            if (!item.hasPermission(Item.CONFIGURE)) {
+                                return "********";
+                            }
+                            break;
+                        }
+                        if (type instanceof Computer computer) {
+                            if (!computer.hasPermission(Computer.CONFIGURE)) {
+                                return "********";
+                            }
+                            break;
+                        }
+                        if (type instanceof View view) {
+                            if (!view.hasPermission(View.CONFIGURE)) {
+                                return "********";
+                            }
+                            break;
+                        }
+                    }
                 }
             }
         }

core/src/main/java/hudson/cli/CLIAction.java

@@ -40,11 +40,11 @@
 import java.nio.charset.Charset;
 import java.nio.charset.UnsupportedCharsetException;
 import java.util.ArrayList;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
@@ -80,7 +80,7 @@ public class CLIAction implements UnprotectedRootAction, StaplerProxy {
      */
     /* package-private for testing */ static /* non-final for Script Console */ Boolean ALLOW_WEBSOCKET = SystemProperties.optBoolean(CLIAction.class.getName() + ".ALLOW_WEBSOCKET");
 
-    private final transient Map<UUID, FullDuplexHttpService> duplexServices = new HashMap<>();
+    private final transient Map<UUID, FullDuplexHttpService> duplexServices = new ConcurrentHashMap<>();
 
     @Override
     public String getIconFileName() {
@@ -315,8 +315,13 @@ private synchronized void ready() {
 
         void run() throws IOException, InterruptedException {
             synchronized (this) {
-                while (!ready) {
-                    wait();
+                long end = System.currentTimeMillis() + FullDuplexHttpService.CONNECTION_TIMEOUT;
+                while (!ready && System.currentTimeMillis() < end) {
+                    wait(1000);
+                }
+                if (!ready) {
+                    LOGGER.log(Level.FINE, "CLI timeout waiting for client");
+                    return;
                 }
             }
             PrintStream stdout = new PrintStream(streamStdout(), false, encoding);

core/src/main/java/hudson/model/BuildAuthorizationToken.java

@@ -25,10 +25,22 @@
 package hudson.model;
 
 import com.thoughtworks.xstream.converters.basic.AbstractSingleValueConverter;
+import hudson.Extension;
 import hudson.Util;
+import hudson.diagnosis.OldDataMonitor;
+import hudson.model.listeners.ItemListener;
 import hudson.security.ACL;
+import hudson.util.Secret;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import jenkins.model.Jenkins;
+import jenkins.model.ParameterizedJobMixIn;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.HttpResponses;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerRequest2;
@@ -47,10 +59,25 @@
  */
 @Deprecated
 public final class BuildAuthorizationToken {
-    private final String token;
+    private final Secret token;
 
+    private transient boolean fromPlaintext;
+
+    /**
+     * @deprecated since TODO
+     */
+    @Deprecated
     public BuildAuthorizationToken(String token) {
+        this.token = Secret.fromString(token);
+        this.fromPlaintext = true;
+    }
+
+    /**
+     * @since TODO
+     */
+    public BuildAuthorizationToken(Secret token) {
         this.token = token;
+        this.fromPlaintext = false;
     }
 
     /**
@@ -85,7 +112,7 @@ public static void checkPermission(Job<?, ?> project, BuildAuthorizationToken to
         if (token != null && token.token != null) {
             //check the provided token
             String providedToken = req.getParameter("token");
-            if (providedToken != null && providedToken.equals(token.token))
+            if (providedToken != null && MessageDigest.isEqual(providedToken.getBytes(StandardCharsets.UTF_8), token.getToken().getBytes(StandardCharsets.UTF_8)))
                 return;
             if (providedToken != null)
                 throw new AccessDeniedException(Messages.BuildAuthorizationToken_InvalidTokenProvided());
@@ -110,7 +137,15 @@ public static void checkPermission(Job<?, ?> project, BuildAuthorizationToken to
         checkPermission(project, token, StaplerRequest.toStaplerRequest2(req), StaplerResponse.toStaplerResponse2(rsp));
     }
 
+    @Deprecated
     public String getToken() {
+        return token.getPlainText();
+    }
+
+    /**
+     * @since TODO
+     */
+    public Secret getEncryptedToken() {
         return token;
     }
 
@@ -122,12 +157,44 @@ public boolean canConvert(Class type) {
 
         @Override
         public Object fromString(String str) {
-            return new BuildAuthorizationToken(str);
+            if (Secret.decrypt(str) == null) {
+                return new BuildAuthorizationToken(str);
+            }
+            return new BuildAuthorizationToken(Secret.fromString(str));
         }
 
         @Override
         public String toString(Object obj) {
-            return ((BuildAuthorizationToken) obj).token;
+            final BuildAuthorizationToken bat = (BuildAuthorizationToken) obj;
+            // We assume this only gets called when re-saving to its usual destination, so let's clear the in-memory state:
+            bat.fromPlaintext = false;
+            return bat.token.getEncryptedValue();
+        }
+    }
+
+    @Extension
+    @Restricted(NoExternalUse.class)
+    public static class ItemListenerImpl extends ItemListener {
+        private static final Logger LOGGER = Logger.getLogger(ItemListenerImpl.class.getName());
+
+        @Override
+        public void onUpdated(Item item) {
+            if (item instanceof ParameterizedJobMixIn.ParameterizedJob job) {
+                BuildAuthorizationToken bat = job.getAuthToken();
+                if (bat != null) {
+                    if (bat.fromPlaintext) {
+                        OldDataMonitor.report(item, "2.528.3 / 2.541");
+                        LOGGER.log(Level.FINE, "Reporting " + item.getFullName());
+                    } else {
+                        LOGGER.log(Level.FINE, "Skipping reporting of " + item.getFullName());
+                    }
+                }
+            }
+        }
+
+        @Override
+        public void onLoaded() {
+            Jenkins.get().getAllItems(ParameterizedJobMixIn.ParameterizedJob.class).forEach(this::onUpdated);
         }
     }
 }

core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java

@@ -26,6 +26,7 @@
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.model.User;
+import hudson.security.csrf.CrumbIssuer;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -34,12 +35,14 @@
 import java.io.IOException;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import jenkins.model.Jenkins;
 import jenkins.security.SecurityListener;
 import jenkins.security.seed.UserSeedProperty;
 import jenkins.util.SystemProperties;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@@ -55,6 +58,13 @@
 @Restricted(NoExternalUse.class)
 public final class AuthenticationProcessingFilter2 extends UsernamePasswordAuthenticationFilter {
 
+    /**
+     * Escape hatch to disable CSRF protection for login requests.
+     */
+    @Restricted(NoExternalUse.class)
+    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
+    public static /* non-final */ boolean SKIP_CSRF_CHECK = SystemProperties.getBoolean(AuthenticationProcessingFilter2.class.getName() + ".skipCSRFCheck");
+
     @SuppressFBWarnings(value = "HARD_CODE_PASSWORD", justification = "This is a password parameter, not a password")
     public AuthenticationProcessingFilter2(String authenticationGatewayUrl) {
         setRequiresAuthenticationRequestMatcher(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/" + authenticationGatewayUrl));
@@ -63,6 +73,30 @@ public AuthenticationProcessingFilter2(String authenticationGatewayUrl) {
         setPasswordParameter("j_password");
     }
 
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
+        if (!SKIP_CSRF_CHECK) {
+            Jenkins jenkins = Jenkins.get();
+            CrumbIssuer crumbIssuer = jenkins.getCrumbIssuer();
+            if (crumbIssuer != null) {
+                String crumbField = crumbIssuer.getCrumbRequestField();
+                String crumbSalt = crumbIssuer.getDescriptor().getCrumbSalt();
+
+                String crumb = request.getParameter(crumbField);
+                if (crumb == null) {
+                    crumb = request.getHeader(crumbField);
+                }
+
+                if (crumb == null || !crumbIssuer.validateCrumb(request, crumbSalt, crumb)) {
+                    LOGGER.log(Level.FINE, "No valid crumb was included in authentication request from {0}", request.getRemoteAddr());
+                    throw new InsufficientAuthenticationException("No valid crumb was included in the request");
+                }
+            }
+        }
+
+        return super.attemptAuthentication(request, response);
+    }
+
     @Override
     protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
         if (SystemProperties.getInteger(SecurityRealm.class.getName() + ".sessionFixationProtectionMode", 1) == 2) {