Continuum

Secure working copies of Continuum build agents

Details

  • Complexity:
    Intermediate
  • Number of attachments :
    0

Description

When CONTINUUM-2545 (Add WebDAV interface to continuum build agent for displaying the working copies) was implemented, there was no security implemented so anyone can access the working copies via webdav.

Issue Links

is related to

New Feature - A new feature of the product, which has yet to be developed. CONTINUUM-2545 Add WebDAV interface to continuum build agent for displaying the working copies

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Improvement - An improvement or enhancement to an existing feature or task. CONTINUUM-2044 Build agent should only accept requests from its master

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Maria Odea Ching added a comment -

Related discussions in the dev list for this issue:

http://old.nabble.com/Added-WebDAV-interface-for-displaying-the-working-copies-from-build--agent-td29202005.html
http://old.nabble.com/Build-agent-security-td30547566.html
http://old.nabble.com/How-can-an-agent-be-sure-that-a-request-comes-from-its-master--td21546892.html

Show
Maria Odea Ching added a comment - Related discussions in the dev list for this issue: http://old.nabble.com/Added-WebDAV-interface-for-displaying-the-working-copies-from-build--agent-td29202005.html http://old.nabble.com/Build-agent-security-td30547566.html http://old.nabble.com/How-can-an-agent-be-sure-that-a-request-comes-from-its-master--td21546892.html
Hide
Permalink
Maria Odea Ching added a comment -

Fix committed to trunk -r1140480.

With the committed implementation, it is no longer possible to browse the working copies in the build agent directly. Only the build agent's master is allowed to access it. I made use of the shared secret key/password to verify that the request came from the master. If the password attached to the request matches the sharedSecretPassword configured in the build agent, the request would be allowed. Otherwise, a 401 error will be returned.

Show
Maria Odea Ching added a comment - Fix committed to trunk -r1140480 . With the committed implementation, it is no longer possible to browse the working copies in the build agent directly. Only the build agent's master is allowed to access it. I made use of the shared secret key/password to verify that the request came from the master. If the password attached to the request matches the sharedSecretPassword configured in the build agent, the request would be allowed. Otherwise, a 401 error will be returned.

People

  • Assignee:
    Maria Odea Ching
    Reporter:
    Maria Odea Ching
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: