Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
LinuxSuRen
jenkins
提交
01c46ba2
J
jenkins
项目概览
LinuxSuRen
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
01c46ba2
编写于
1月 16, 2018
作者:
J
Jesse Glick
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Removing XStream2Security247Test as it no longer reproduces SECURITY-247.
上级
e42886c9
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
0 addition
and
163 deletion
+0
-163
test/src/test/java/hudson/util/XStream2Security247Test.java
test/src/test/java/hudson/util/XStream2Security247Test.java
+0
-136
test/src/test/resources/hudson/util/XStream2Security247Test/config.xml
.../resources/hudson/util/XStream2Security247Test/config.xml
+0
-27
未找到文件。
test/src/test/java/hudson/util/XStream2Security247Test.java
已删除
100644 → 0
浏览文件 @
e42886c9
package
hudson.util
;
import
hudson.model.Items
;
import
org.apache.commons.io.*
;
import
org.apache.commons.io.IOUtils
;
import
org.junit.Before
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.junit.rules.TemporaryFolder
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.kohsuke.stapler.StaplerRequest
;
import
org.kohsuke.stapler.StaplerResponse
;
import
org.mockito.Mock
;
import
org.mockito.MockitoAnnotations
;
import
javax.servlet.ReadListener
;
import
javax.servlet.ServletInputStream
;
import
java.io.File
;
import
java.io.IOException
;
import
java.io.InputStream
;
import
static
org
.
junit
.
Assert
.
assertFalse
;
import
static
org
.
mockito
.
Mockito
.
when
;
public
class
XStream2Security247Test
{
@Rule
public
JenkinsRule
j
=
new
JenkinsRule
();
@Rule
public
TemporaryFolder
f
=
new
TemporaryFolder
();
@Mock
private
StaplerRequest
req
;
@Mock
private
StaplerResponse
rsp
;
@Before
public
void
setUp
()
throws
Exception
{
MockitoAnnotations
.
initMocks
(
this
);
}
@Test
@Issue
(
"SECURITY-247"
)
public
void
testXmlLoad
()
throws
Exception
{
File
exploitFile
=
f
.
newFile
();
try
{
// be extra sure there's no file already
if
(
exploitFile
.
exists
()
&&
!
exploitFile
.
delete
())
{
throw
new
IllegalStateException
(
"file exists and cannot be deleted"
);
}
File
tempJobDir
=
new
File
(
j
.
jenkins
.
getRootDir
(),
"security247"
);
String
exploitXml
=
org
.
apache
.
commons
.
io
.
IOUtils
.
toString
(
XStream2Security247Test
.
class
.
getResourceAsStream
(
"/hudson/util/XStream2Security247Test/config.xml"
),
"UTF-8"
);
exploitXml
=
exploitXml
.
replace
(
"@TOKEN@"
,
exploitFile
.
getAbsolutePath
());
FileUtils
.
write
(
new
File
(
tempJobDir
,
"config.xml"
),
exploitXml
);
try
{
Items
.
load
(
j
.
jenkins
,
tempJobDir
);
}
catch
(
Exception
e
)
{
// ignore
}
assertFalse
(
"no file should be created here"
,
exploitFile
.
exists
());
}
finally
{
exploitFile
.
delete
();
}
}
@Test
@Issue
(
"SECURITY-247"
)
public
void
testPostJobXml
()
throws
Exception
{
File
exploitFile
=
f
.
newFile
();
try
{
// be extra sure there's no file already
if
(
exploitFile
.
exists
()
&&
!
exploitFile
.
delete
())
{
throw
new
IllegalStateException
(
"file exists and cannot be deleted"
);
}
File
tempJobDir
=
new
File
(
j
.
jenkins
.
getRootDir
(),
"security247"
);
String
exploitXml
=
org
.
apache
.
commons
.
io
.
IOUtils
.
toString
(
XStream2Security247Test
.
class
.
getResourceAsStream
(
"/hudson/util/XStream2Security247Test/config.xml"
),
"UTF-8"
);
exploitXml
=
exploitXml
.
replace
(
"@TOKEN@"
,
exploitFile
.
getAbsolutePath
());
when
(
req
.
getMethod
()).
thenReturn
(
"POST"
);
when
(
req
.
getInputStream
()).
thenReturn
(
new
Stream
(
IOUtils
.
toInputStream
(
exploitXml
)));
when
(
req
.
getContentType
()).
thenReturn
(
"application/xml"
);
when
(
req
.
getParameter
(
"name"
)).
thenReturn
(
"foo"
);
try
{
j
.
jenkins
.
doCreateItem
(
req
,
rsp
);
}
catch
(
Exception
e
)
{
// don't care
}
assertFalse
(
"no file should be created here"
,
exploitFile
.
exists
());
}
finally
{
exploitFile
.
delete
();
}
}
private
static
class
Stream
extends
ServletInputStream
{
private
final
InputStream
inner
;
public
Stream
(
final
InputStream
inner
)
{
this
.
inner
=
inner
;
}
@Override
public
int
read
()
throws
IOException
{
return
inner
.
read
();
}
@Override
public
boolean
isFinished
()
{
return
false
;
}
@Override
public
boolean
isReady
()
{
return
true
;
}
@Override
public
void
setReadListener
(
ReadListener
readListener
)
{
throw
new
UnsupportedOperationException
();
}
}
}
test/src/test/resources/hudson/util/XStream2Security247Test/config.xml
已删除
100644 → 0
浏览文件 @
e42886c9
<map>
<entry>
<groovy.util.Expando>
<expandoProperties>
<entry>
<string>
hashCode
</string>
<org.codehaus.groovy.runtime.MethodClosure>
<delegate
class=
"groovy.util.Expando"
reference=
"../../../.."
/>
<owner
class=
"java.lang.ProcessBuilder"
>
<command>
<string>
touch
</string>
<string>
@TOKEN@
</string>
</command>
<redirectErrorStream>
false
</redirectErrorStream>
</owner>
<resolveStrategy>
0
</resolveStrategy>
<directive>
0
</directive>
<parameterTypes/>
<maximumNumberOfParameters>
0
</maximumNumberOfParameters>
<method>
start
</method>
</org.codehaus.groovy.runtime.MethodClosure>
</entry>
</expandoProperties>
</groovy.util.Expando>
<int>
1
</int>
</entry>
</map>
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录