[SECURITY-704]

Author: jglick

pom.xml

@@ -29,7 +29,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>2.21</version>
+    <version>3.17</version>
     <relativePath />
   </parent>
 
@@ -55,10 +55,6 @@
     </developer>
   </developers>
 
-  <prerequisites>
-    <maven>2.2.1</maven>
-  </prerequisites>
-
   <scm>
     <connection>scm:git:git://github.com/jenkinsci/ssh-agent-plugin.git</connection>
     <developerConnection>scm:git:[email protected]:jenkinsci/ssh-agent-plugin.git</developerConnection>
@@ -67,9 +63,9 @@
   </scm>
 
   <properties>
-    <jenkins.version>1.609.3</jenkins.version>
-    <java.level>7</java.level> <!-- sshd-core is 7+ -->
-    <workflow-jenkins-plugin.version>1.14.2</workflow-jenkins-plugin.version>
+    <jenkins.version>2.60.3</jenkins.version>
+    <java.level>8</java.level>
+    <workflow-support-plugin.version>2.18</workflow-support-plugin.version>
   </properties>
 
   <repositories>
@@ -97,18 +93,6 @@
       <artifactId>tomcat-apr</artifactId>
       <version>5.5.23</version>
     </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-      <version>1.7.7</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-jdk14</artifactId>
-      <version>1.7.7</version>
-      <scope>provided</scope>
-    </dependency>
     <dependency>
       <groupId>com.cloudbees.util</groupId>
       <artifactId>jnr-unixsocket-nodep</artifactId>
@@ -117,72 +101,103 @@
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-step-api</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.16</version>
     </dependency>
 
     <!-- plugin dependencies -->
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>credentials</artifactId>
-      <version>2.1.1</version>
+      <version>2.1.17</version>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>ssh-credentials</artifactId>
-      <version>1.11</version>
+      <version>1.14</version>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>bouncycastle-api</artifactId>
-      <version>1.0.2</version>
+      <version>2.16.3</version>
     </dependency>
     <!-- jenkins dependencies -->
     <!-- test dependencies -->
+    <dependency>
+      <groupId>org.jenkins-ci.plugins.workflow</groupId>
+      <artifactId>workflow-api</artifactId>
+      <version>2.27</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-job</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.12.2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-basic-steps</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.8</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-durable-task-step</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.19</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-cps</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.45</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-support</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>${workflow-support-plugin.version}</version>
+      <scope>test</scope>
+     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins.workflow</groupId>
+      <artifactId>workflow-support</artifactId>
+      <version>${workflow-support-plugin.version}</version>
       <classifier>tests</classifier>
       <scope>test</scope>
      </dependency>
-    <dependency> <!-- TODO Jenkins sshd (1.6) depends on sshd-core 0.8, which is incompatible with 1.0 -->
-      <groupId>org.jenkins-ci.main</groupId>
-      <artifactId>jenkins-war</artifactId>
-      <version>${jenkins.version}</version>
-      <classifier>war-for-test</classifier>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>docker-workflow</artifactId>
+      <version>1.17</version>
       <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>org.jenkins-ci.modules</groupId>
-          <artifactId>sshd</artifactId>
-        </exclusion>
-      </exclusions>
     </dependency>
   </dependencies>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>structs</artifactId>
+        <version>1.14</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci</groupId>
+        <artifactId>symbol-annotation</artifactId>
+        <version>1.14</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>script-security</artifactId>
+        <version>1.44</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>scm-api</artifactId>
+        <version>2.2.7</version>
+        <scope>test</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
 
   <build>
     <plugins>

src/main/java/com/cloudbees/jenkins/plugins/sshagent/SSHAgentStepExecution.java

@@ -63,7 +63,7 @@ public boolean start() throws Exception {
         initRemoteAgent();
         context.newBodyInvoker().
                 withContext(EnvironmentExpander.merge(getContext().get(EnvironmentExpander.class), new ExpanderImpl(this))).
-                withCallback(new Callback(this)).withDisplayName(null).start();
+                withCallback(new Callback(this)).start();
         return false;
     }
 

src/main/java/com/cloudbees/jenkins/plugins/sshagent/exec/ExecRemoteAgent.java

@@ -105,7 +105,11 @@ public void addIdentity(String privateKey, final String passphrase, String comme
                     env.put("DISPLAY", ":0"); // just to force using SSH_ASKPASS
                     env.put("SSH_ASKPASS", askpass.getRemote());
                 }
-                if (launcher.launch().cmds("ssh-add", keyFile.getRemote()).envs(env).stdout(listener).start().joinWithTimeout(1, TimeUnit.MINUTES, listener) != 0) {
+                
+                // as the next command is in quiet mode, we just add a message to the log
+                launcher.getListener().getLogger().println("Running ssh-add (command line suppressed)");
+                
+                if (launcher.launch().quiet(true).cmds("ssh-add", keyFile.getRemote()).envs(env).stdout(listener).start().joinWithTimeout(1, TimeUnit.MINUTES, listener) != 0) {
                     throw new AbortException("Failed to run ssh-add");
                 }
             } finally {

src/test/java/com/cloudbees/jenkins/plugins/sshagent/SSHAgentStepWorkflowTest.java

@@ -5,10 +5,10 @@
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
-import com.cloudbees.plugins.credentials.domains.Domain;
-import hudson.Util;
+import hudson.Launcher;
 import hudson.model.Fingerprint;
-import hudson.util.Secret;
+import hudson.util.StreamTaskListener;
+import java.io.IOException;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowExecution;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
@@ -26,14 +26,17 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Scanner;
-import java.util.regex.Matcher;
+import java.util.concurrent.TimeUnit;
 import java.util.regex.Pattern;
 
-import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.Matchers.is;
 import static org.hamcrest.core.IsCollectionContaining.hasItem;
 import static org.hamcrest.core.IsNull.notNullValue;
 import static org.hamcrest.core.IsNull.nullValue;
+import org.jenkinsci.plugins.docker.commons.tools.DockerTool;
+import org.jenkinsci.plugins.docker.workflow.client.DockerClient;
 import static org.junit.Assert.*;
+import static org.junit.Assume.*;
 
 public class SSHAgentStepWorkflowTest extends SSHAgentBase {
 
@@ -191,4 +194,41 @@ public void evaluate() throws Throwable {
             }
         });
     }
+
+    @Issue("SECURITY-704")
+    @Test
+    public void sshAgentDocker() throws Exception {
+        story.then(r -> {
+            // From org.jenkinsci.plugins.docker.workflow.DockerTestUtil:
+            Launcher.LocalLauncher localLauncher = new Launcher.LocalLauncher(StreamTaskListener.NULL);
+            try {
+                assumeThat("Docker working", localLauncher.launch().cmds(DockerTool.getExecutable(null, null, null, null), "ps").start().joinWithTimeout(DockerClient.CLIENT_TIMEOUT, TimeUnit.SECONDS, localLauncher.getListener()), is(0));
+            } catch (IOException x) {
+                assumeNoException("have Docker installed", x);
+            }
+
+            List<String> credentialIds = new ArrayList<String>();
+            credentialIds.add(CREDENTIAL_ID);
+
+            SSHUserPrivateKey key = new BasicSSHUserPrivateKey(CredentialsScope.GLOBAL, credentialIds.get(0), "x",
+                    new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(getPrivateKey()), "cloudbees", "test");
+            SystemCredentialsProvider.getInstance().getCredentials().add(key);
+            SystemCredentialsProvider.getInstance().save();
+
+            WorkflowJob job = r.createProject(WorkflowJob.class, "sshAgentDocker");
+            job.setDefinition(new CpsFlowDefinition(""
+                + "node('" + r.createSlave().getNodeName() + "') {\n"
+                + "  withDockerContainer('kroniak/ssh-client') {\n"
+                + "    sh 'ssh-agent -k || :'\n"
+                + "    sshagent(credentials: ['" + CREDENTIAL_ID + "']) {\n"
+                + "      sh 'env'\n"
+                + "    }\n"
+                + "  }\n"
+                + "}\n", true)
+            );
+            WorkflowRun b = r.buildAndAssertSuccess(job);
+            r.assertLogNotContains("cloudbees", b);
+        });
+    }
+
 }