From 2ce5036cb06a7dab0d4868e9539c8d42e7a5678c Mon Sep 17 00:00:00 2001
From: Oleg Nenashev <o.v.nenashev@gmail.com>
Date: Wed, 14 Feb 2018 13:29:43 +0100
Subject: [PATCH] [JENKINS-49543] - Add direct unit test for module class
 whitelisting

(cherry picked from commit 800668ba4305964afe59d8744fcfc24013ff6ee6)
---
 .../main/java/jenkins/security/ClassFilterImpl.java  |  4 +++-
 .../java/jenkins/security/ClassFilterImplTest.java   | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/jenkins/security/ClassFilterImpl.java b/core/src/main/java/jenkins/security/ClassFilterImpl.java
index 0c554232b4..22e4645557 100644
--- a/core/src/main/java/jenkins/security/ClassFilterImpl.java
+++ b/core/src/main/java/jenkins/security/ClassFilterImpl.java
@@ -24,6 +24,7 @@
 
 package jenkins.security;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableSet;
 import hudson.ExtensionList;
 import hudson.Main;
@@ -105,7 +106,8 @@ public class ClassFilterImpl extends ClassFilter {
         ClassFilter.setDefault(ClassFilter.NONE); // even Method on the standard blacklist is going to explode
     }
 
-    private ClassFilterImpl() {}
+    @VisibleForTesting
+    /*package*/ ClassFilterImpl() {}
 
     /** Whether a given class is blacklisted. */
     private final Map<Class<?>, Boolean> cache = Collections.synchronizedMap(new WeakHashMap<>());
diff --git a/test/src/test/java/jenkins/security/ClassFilterImplTest.java b/test/src/test/java/jenkins/security/ClassFilterImplTest.java
index 89131e335f..029a5b85bf 100644
--- a/test/src/test/java/jenkins/security/ClassFilterImplTest.java
+++ b/test/src/test/java/jenkins/security/ClassFilterImplTest.java
@@ -36,6 +36,7 @@ import hudson.model.BuildListener;
 import hudson.model.FreeStyleProject;
 import hudson.model.Result;
 import hudson.model.Saveable;
+import hudson.remoting.ClassFilter;
 import hudson.tasks.BuildStepDescriptor;
 import hudson.tasks.Builder;
 import java.io.IOException;
@@ -51,6 +52,7 @@ import static org.junit.Assume.*;
 import org.junit.ClassRule;
 import org.junit.Rule;
 import org.jvnet.hudson.test.BuildWatcher;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.LoggerRule;
 import org.jvnet.hudson.test.TestExtension;
@@ -149,6 +151,16 @@ public class ClassFilterImplTest {
         assertEquals(Collections.singleton(config), data.keySet());
         assertThat(data.values().iterator().next().extra, allOf(containsString("LinkedListMultimap"), containsString("https://jenkins.io/redirect/class-filter/")));
     }
+
+    @Test
+    @Issue("JENKINS-49543")
+    public void moduleClassesShouldBeWhitelisted() throws Exception {
+        ClassFilterImpl filter = new ClassFilterImpl();
+        filter.check("org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl");
+        filter.check("org.jenkinsci.modules.windows_slave_installer.WindowsSlaveInstaller");
+        filter.check("org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl");
+    }
+
     @TestExtension("xstreamRequiresWhitelist")
     public static class Config extends GlobalConfiguration {
         LinkedListMultimap<?, ?> obj;
-- 
GitLab