SECURITY-2186

Author: Pldi23

pom.xml

@@ -216,6 +216,12 @@
             <systemPropertyVariables>
               <hudson.remoting.ExportTable.exportTraces>true</hudson.remoting.ExportTable.exportTraces>
             </systemPropertyVariables>
+            <!--            Security2186Test-->
+            <environmentVariables>
+              <test2186.trustStorePassword>agsdfaksdgFASKD</test2186.trustStorePassword>
+            </environmentVariables>
+            <argLine>-Dtest2186.trustStorePassword=ASJDHFGASLDFG</argLine>
+
           </configuration>
         </plugin>
       </plugins>

src/main/java/com/cloudbees/jenkins/support/api/BaseFileContent.java

@@ -45,7 +45,9 @@
 import java.io.PrintWriter;
 import java.nio.file.Files;
 import java.nio.file.NoSuchFileException;
+import java.util.function.Function;
 import java.util.function.Supplier;
+import java.util.function.UnaryOperator;
 
 /**
  * Utility class with the common logic to FileContent and UnfilteredFileContent.
@@ -56,18 +58,37 @@
 class BaseFileContent {
     private final File file;
     private final Supplier<InputStream> inputStreamSupplier;
+
+    /**
+     * the function to filter secret text if comes from {@link com.cloudbees.jenkins.support.configfiles.XmlRedactedSecretFileContent} or {@link com.cloudbees.jenkins.support.api.LaunchLogsFileContent}
+     */
+    private final Function<String, String> secretsFilterFunction;
     private final long maxSize;
     private final boolean isBinary;
 
     private final static String ENCODING = "UTF-8";
 
+    /**
+     *  @deprecated (as it is placed in the api package we keep backward compatibility, no relevant usage was found)
+     */
+    @Deprecated
     protected BaseFileContent(File file, Supplier<InputStream> inputStreamSupplier) {
-        this(file, inputStreamSupplier, -1);
+        this(file, inputStreamSupplier, -1, s -> s);
     }
 
+    protected BaseFileContent(File file, Supplier<InputStream> inputStreamSupplier, UnaryOperator<String> secretsFilterFunction) {
+        this(file, inputStreamSupplier, -1, secretsFilterFunction);
+    }
+
+    @Deprecated
     protected BaseFileContent(File file, Supplier<InputStream> inputStreamSupplier, long maxSize) {
+        this(file, inputStreamSupplier, maxSize, s -> s);
+    }
+
+    protected BaseFileContent(File file, Supplier<InputStream> inputStreamSupplier, long maxSize, UnaryOperator<String>secretsFilterFunction) {
         this.file = file;
         this.inputStreamSupplier = inputStreamSupplier;
+        this.secretsFilterFunction = secretsFilterFunction;
         this.maxSize = maxSize;
         this.isBinary = isBinary();
     }
@@ -106,7 +127,7 @@ protected void writeTo(OutputStream os, ContentFilter filter) throws IOException
         try {
             if (maxSize == -1) {
                 for (String s : Files.readAllLines(file.toPath())) {
-                    String filtered = ContentFilter.filter(filter, s);
+                    String filtered = ContentFilter.filter(filter, secretsFilterFunction.apply(s));
                     IOUtils.write(filtered, os, ENCODING);
                     // The new line
                     IOUtils.write("\n", os, ENCODING);
@@ -115,7 +136,7 @@ protected void writeTo(OutputStream os, ContentFilter filter) throws IOException
                 try (TruncatedFileReader reader = new TruncatedFileReader(file, maxSize)) {
                     String s;
                     while ((s = reader.readLine()) != null) {
-                        String filtered = ContentFilter.filter(filter, s);
+                        String filtered = ContentFilter.filter(filter, secretsFilterFunction.apply(s));
                         IOUtils.write(filtered, os, ENCODING);
                         // The new line
                         IOUtils.write("\n", os, ENCODING);

src/main/java/com/cloudbees/jenkins/support/api/FileContent.java

@@ -91,6 +91,10 @@ protected InputStream getInputStream() throws IOException {
         return new FileInputStream(file);
     }
 
+    protected String getSimpleValueOrRedactedPassword(String value) {
+        return value;
+    }
+
     private BaseFileContent createBaseFileContent(File file, long maxSize) {
         Supplier<InputStream> supplier = () -> {
             try {
@@ -99,6 +103,6 @@ private BaseFileContent createBaseFileContent(File file, long maxSize) {
                 return new ByteArrayInputStream(Functions.printThrowable(e).getBytes(StandardCharsets.UTF_8));
             }
         };
-        return  new BaseFileContent(file, supplier, maxSize);
+        return  new BaseFileContent(file, supplier, maxSize, this::getSimpleValueOrRedactedPassword);
     }
 }

src/main/java/com/cloudbees/jenkins/support/api/FilePathContent.java

@@ -24,14 +24,22 @@
 
 package com.cloudbees.jenkins.support.api;
 
+import com.cloudbees.jenkins.support.filter.FilteredOutputStream;
+import com.cloudbees.jenkins.support.filter.PasswordRedactor;
 import hudson.FilePath;
 import hudson.Functions;
+import org.apache.commons.io.IOUtils;
 
+import java.io.BufferedReader;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.PrintWriter;
+import java.nio.charset.CharsetDecoder;
+import java.nio.charset.CodingErrorAction;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.NoSuchFileException;
 
 /**
@@ -60,7 +68,11 @@ public FilePathContent(String name, String[] filterableParameters, FilePath file
     @Override
     public void writeTo(OutputStream os) throws IOException {
         try {
-            file.copyTo(os);
+            if (PasswordRedactor.FILES_WITH_SECRETS.contains(file.getName())) {
+                copyRedacted(os);
+            } else {
+                file.copyTo(os);
+            }
         } catch (InterruptedException e) {
             throw new IOException(e);
         } catch (IOException e) {
@@ -92,4 +104,18 @@ public long getTime() throws IOException {
             throw new IOException(e);
         }
     }
+
+    private void copyRedacted(OutputStream os) throws IOException, InterruptedException {
+        CharsetDecoder charsetDecoder = StandardCharsets.UTF_8.newDecoder()
+                .onMalformedInput(CodingErrorAction.REPLACE)
+                .onUnmappableCharacter(CodingErrorAction.REPLACE)
+                .replaceWith(FilteredOutputStream.UNKNOWN_INPUT);
+
+        try (BufferedReader br = new BufferedReader(new InputStreamReader(file.read(), charsetDecoder))) {
+            String line;
+            while ((line = br.readLine()) != null) {
+                IOUtils.write(PasswordRedactor.get().redact(line), os, charsetDecoder.charset());
+            }
+        }
+    }
 }

src/main/java/com/cloudbees/jenkins/support/api/LaunchLogsFileContent.java

@@ -0,0 +1,36 @@
+package com.cloudbees.jenkins.support.api;
+
+import com.cloudbees.jenkins.support.filter.PasswordRedactor;
+import org.apache.commons.io.IOUtils;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.Charset;
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class LaunchLogsFileContent extends FileContent {
+
+    public LaunchLogsFileContent(String name, String[] filterableParameters, File file, long maxSize) {
+        super(name, filterableParameters, file, maxSize);
+    }
+
+    @Override
+    protected InputStream getInputStream() throws IOException {
+        try(FileInputStream inputStream = new FileInputStream(file)) {
+            List<String> strings = IOUtils.readLines(inputStream, Charset.defaultCharset());
+            byte[] bytes = strings.stream()
+                    .map(line -> PasswordRedactor.get().redact(line))
+                    .collect(Collectors.joining("\n", "", "\n"))
+                    .getBytes(Charset.defaultCharset());
+            return new ByteArrayInputStream(bytes);
+        }
+    }
+
+    @Override
+    protected String getSimpleValueOrRedactedPassword(String value) {
+        return PasswordRedactor.get().redact(value);
+    }
+}

src/main/java/com/cloudbees/jenkins/support/api/UnfilteredFileContent.java

@@ -94,7 +94,7 @@ private BaseFileContent createBaseFileContent(File file, long maxSize) {
                 return null;
             }
         };
-        return new BaseFileContent(file, supplier, maxSize);
+        return new BaseFileContent(file, supplier, maxSize, s -> s);
     }
 
     @Override

src/main/java/com/cloudbees/jenkins/support/configfiles/SecretHandler.java

@@ -1,5 +1,6 @@
 package com.cloudbees.jenkins.support.configfiles;
 
+import com.cloudbees.jenkins.support.filter.PasswordRedactor;
 import com.cloudbees.plugins.credentials.SecretBytes;
 import hudson.util.Secret;
 import org.apache.commons.io.FileUtils;
@@ -63,6 +64,7 @@ public static String findSecrets(File xmlFile) throws SAXException, IOException,
 
         XMLReader xr = new XMLFilterImpl(XMLReaderFactory.createXMLReader()) {
             private String tagName = "";
+            private String previousStringTagValue;
 
             @Override
             public void startElement(String uri, String localName, String qName, Attributes atts)
@@ -87,6 +89,21 @@ public void characters(char[] ch, int start, int length) throws SAXException {
                             ch = SECRET_MARKER.toCharArray();
                             start = 0;
                             length = ch.length;
+                        } else if (isJvmArgsWithSecrets(tagName, value)) {
+                            ch = PasswordRedactor.get().redact(value).toCharArray();
+                            start = 0;
+                            length = ch.length;
+                        } else if ("string".equals(tagName)) {
+                            if (previousStringTagValue != null) {
+                                if (PasswordRedactor.get().match(previousStringTagValue)) {
+                                    ch = PasswordRedactor.REDACTED.toCharArray();
+                                    start = 0;
+                                    length = ch.length;
+                                }
+                                previousStringTagValue = null;
+                            } else {
+                                previousStringTagValue = value;
+                            }
                         }
                     }
                 }
@@ -153,4 +170,8 @@ private static Source createSafeSource(XMLReader reader, InputSource source) {
         return new SAXSource(reader, source);
     }
 
+    private static boolean isJvmArgsWithSecrets(String tagName, String value) {
+        return ("jvmOptions".equals(tagName) || "vmargs".equals(tagName) || "cmd".equals(tagName)) && PasswordRedactor.get().match(value);
+    }
+
 }

src/main/java/com/cloudbees/jenkins/support/configfiles/XmlRedactedSecretFileContent.java

@@ -1,6 +1,7 @@
 package com.cloudbees.jenkins.support.configfiles;
 
 import com.cloudbees.jenkins.support.api.FileContent;
+import com.cloudbees.jenkins.support.filter.PasswordRedactor;
 import org.xml.sax.SAXException;
 
 import javax.xml.transform.TransformerException;
@@ -11,6 +12,11 @@
 
 class XmlRedactedSecretFileContent extends FileContent {
 
+    private static final String STRING_TAG = "<string>";
+    private static final String CLOSE_STRING_TAG = "</string>";
+
+    private String previousStringTagValue;
+
     public XmlRedactedSecretFileContent(String name, File file) {
         super(name, file);
     }
@@ -27,4 +33,25 @@ protected InputStream getInputStream() throws IOException {
             throw new IOException(e);
         }
     }
+
+    @Override
+    protected String getSimpleValueOrRedactedPassword(String value) {
+        if (value.contains(STRING_TAG)) {
+            return redactStringTagIfNeeded(value);
+        }
+        return PasswordRedactor.get().redact(value);
+    }
+
+    private String redactStringTagIfNeeded(String value) {
+        if (previousStringTagValue != null) {
+            if (previousStringTagValue.contains(STRING_TAG) && PasswordRedactor.get().match(previousStringTagValue)) {
+                previousStringTagValue = null;
+                return value.substring(0, value.indexOf(STRING_TAG)) + STRING_TAG + PasswordRedactor.REDACTED + CLOSE_STRING_TAG;
+            }
+            previousStringTagValue = null;
+            return value;
+        }
+        previousStringTagValue = value;
+        return value;
+    }
 }

src/main/java/com/cloudbees/jenkins/support/filter/FilteredOutputStream.java

@@ -54,7 +54,7 @@
 @Restricted(NoExternalUse.class)
 public class FilteredOutputStream extends FilterOutputStream {
 
-    private static final String UNKNOWN_INPUT = "\uFFFD";
+    public static final String UNKNOWN_INPUT = "\uFFFD";
 
     @GuardedBy("this")
     private final ByteBuffer encodedBuf = ByteBuffer.allocate(256);

src/main/java/com/cloudbees/jenkins/support/filter/PasswordRedactor.java

@@ -0,0 +1,81 @@
+package com.cloudbees.jenkins.support.filter;
+
+import hudson.Extension;
+import hudson.ExtensionList;
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@Extension
+public class PasswordRedactor implements SerializableOnlyOverRemoting {
+
+    private static final Logger LOGGER = Logger.getLogger(PasswordRedactor.class.getName());
+    public static final String REDACTED = "REDACTED";
+    public static final List<String> FILES_WITH_SECRETS = Collections.unmodifiableList(Arrays.asList("cmdline", "environ"));
+
+    private final Pattern pattern;
+    private final String matcher;
+
+    public static PasswordRedactor get() {
+        return ExtensionList.lookupSingleton(PasswordRedactor.class);
+    }
+
+    public PasswordRedactor() {
+        this.pattern = PasswordRedactorRegexBuilder.PASSWORD_PATTERN;
+        this.matcher = PasswordRedactorRegexBuilder.SECRET_PROPERTY_MATCHER;
+    }
+
+    // for tests usage
+    PasswordRedactor(Pattern pattern, String matcher) {
+        this.pattern = pattern;
+        this.matcher = matcher;
+    }
+
+    public String redact(String input) {
+        if (pattern == null) {
+            // 'security-stop-words.txt' is empty
+            return input;
+        }
+        Matcher patternMatcher = pattern.matcher(input);
+        while (patternMatcher.find()) {
+            LOGGER.log(Level.FINE, "Argument ''{0}'' contain secret data", patternMatcher.group(1));
+            String secretValue = patternMatcher.group(2);
+            input = input.replaceFirst("=\\s*" + Pattern.quote(secretValue), "=" + REDACTED);
+        }
+        return input;
+    }
+
+    public Map<String, String> redact(Map<String, String> properties) {
+        if (matcher == null) {
+            // 'security-stop-words.txt' is empty
+            return properties;
+        }
+        Map<String, String> redacted = new HashMap<>();
+        for (Map.Entry<String, String> entry : properties.entrySet()) {
+            if (entry.getKey().matches(matcher)) {
+                LOGGER.log(Level.FINE, "Argument ''{0}'' contain secret data", entry.getKey());
+                redacted.put(entry.getKey(), REDACTED);
+            } else {
+                redacted.put(entry.getKey(), redact(entry.getValue()));
+            }
+        }
+        return redacted;
+    }
+
+    public boolean match(String value) {
+        if (matcher == null) {
+            // 'security-stop-words.txt' is empty
+            return false;
+        }
+        return value.matches(matcher);
+    }
+
+}