From 5a3f65a1e173a71486b2bd23da4523c1153a32ff Mon Sep 17 00:00:00 2001
From: Yaroslav Afenkin <yaroslavafenkin@users.noreply.github.com>
Date: Wed, 19 Jun 2024 10:52:02 +0300
Subject: [PATCH] [SECURITY-2495]

---
 .../plugins/credentials/SecretBytes.java          | 15 +++++++++++++++
 .../plugins/credentials/SecretBytesTest.java      | 10 ++++++++++
 2 files changed, 25 insertions(+)

diff --git a/src/main/java/com/cloudbees/plugins/credentials/SecretBytes.java b/src/main/java/com/cloudbees/plugins/credentials/SecretBytes.java
index 1b7685b86..5e10cec61 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/SecretBytes.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/SecretBytes.java
@@ -244,7 +244,10 @@ public static byte[] getPlainData(@CheckForNull SecretBytes s) {
      *
      * @param data the data to wrap or decrypt.
      * @return never null
+     *
+     * @deprecated prefer {@link #fromRawBytes(byte[])}
      */
+    @Deprecated
     public static SecretBytes fromBytes(byte[] data) {
         data = data == null ? new byte[0] : data;
         SecretBytes s = decrypt(data);
@@ -254,6 +257,18 @@ public static SecretBytes fromBytes(byte[] data) {
         return s;
     }
 
+
+    /**
+     * Unlike {@link #fromBytes(byte[])} this won't attempt to decrypt this as a secret. Always treat this as unencrypted bytes.
+     *
+     * @param data the data to wrap
+     * @return secret bytes
+     */
+    public static SecretBytes fromRawBytes(byte[] data) {
+        data = data == null ? new byte[0] : data;
+        return new SecretBytes(false, data);
+    }
+
     /**
      * Attempts to treat the given bytes first as a cipher text, and if it doesn't work,
      * treat the given string as the unencrypted BASE-64 encoded byte array.
diff --git a/src/test/java/com/cloudbees/plugins/credentials/SecretBytesTest.java b/src/test/java/com/cloudbees/plugins/credentials/SecretBytesTest.java
index 02c72f891..3c32b0158 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/SecretBytesTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/SecretBytesTest.java
@@ -29,6 +29,7 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang.RandomStringUtils;
 import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
@@ -48,6 +49,15 @@ public void encrypt() {
         assertThat(SecretBytes.fromBytes(secret.getEncryptedData()), is(secret));
     }
 
+    @Issue("SECURITY-2495")
+    @Test
+    public void fromRawBytesNoPassThrough() {
+        SecretBytes secret = SecretBytes.fromRawBytes("aaaaaaaa\u0002ab".getBytes());
+        assertThat(secret.getPlainData(), is("aaaaaaaa\u0002ab".getBytes()));
+
+        assertThat(secret.getEncryptedData(), not(is("aaaaaaaa\u0002ab".getBytes())));
+    }
+
     @Test
     public void encryptedValuePattern() {
         Random entropy = new Random();