[JIRA] (JENKINS-55557) Support oAuth2.0 state parameter

[ikakavas+jenkinsio@protonmail.com (JIRA)]

Ioannis Kakavas created an issue

Jenkins / JENKINS-55557 Support oAuth2.0 state parameter Issue Type: Improvement Assignee: Sam Gleske Components: github-oauth-plugin Created: 2019-01-13 16:59 Priority: Major Reporter: Ioannis Kakavas The current implementation does not support the `state` parameter in the oAuth2 authorization request it sends to the Github AS when attempting to authorize the plugin for a user.  As such, it is vulnerable to CSRF attacks against redirect URI as described in [1]  The state parameter is supported by the Github API [2] , so support could be added in the github-oauth-plugin also.   [1] https://tools.ietf.org/html/rfc6819#section-4.4.1.8 [2] https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[ikakavas+jenkinsio@protonmail.com (JIRA)]

Ioannis Kakavas commented on JENKINS-55557

Re: Support oAuth2.0 state parameter I opened https://github.com/jenkinsci/github-oauth-plugin/pull/107 to resolve this issue.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske resolved as Fixed

Resolving as fixed in 0.33 (originally attempted rolling out 0.32 but it had critical authorization bugs). In the future, please do not disclose security vulnerabilities like this in the public issue tracker. Responsibly disclose by following https://jenkins.io/security/

Jenkins / JENKINS-55557 Support oAuth2.0 state parameter

Change By: Sam Gleske Status: Open Resolved Resolution: Fixed

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-55557

Re: Support oAuth2.0 state parameter

Regardless, thanks for the fix.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske edited a comment on JENKINS-55557

Re: Support oAuth2.0 state parameter

Regardless, thanks Thanks for the fix.

Add Comment