Merge branch 'stable-1.651' of github.com:jenkinsci/jenkins into stable-1.651

4443add4 · Kohsuke Kawaguchi · 39dae396 · 1290c72c · 4443add4 · 4443add4
11 changed file
--- a/core/src/main/java/hudson/PluginManager.java
+++ b/core/src/main/java/hudson/PluginManager.java
@@ -978,20 +978,24 @@ public abstract class PluginManager extends AbstractModelObject implements OnMas
    @Restricted(NoExternalUse.class)
    @RequirePOST public HttpResponse doCheckUpdatesServer() throws IOException {
        Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
-        for (UpdateSite site : Jenkins.getInstance().getUpdateCenter().getSites()) {
-            FormValidation v = site.updateDirectlyNow(DownloadService.signatureCheck);
-            if (v.kind != FormValidation.Kind.OK) {
-                // TODO crude but enough for now
-                return v;
+        try {
+            for (UpdateSite site : Jenkins.getInstance().getUpdateCenter().getSites()) {
+                FormValidation v = site.updateDirectlyNow(DownloadService.signatureCheck);
+                if (v.kind != FormValidation.Kind.OK) {
+                    // TODO crude but enough for now
+                    return v;
+                }
            }
-        }
-        for (DownloadService.Downloadable d : DownloadService.Downloadable.all()) {
-            FormValidation v = d.updateNow();
-            if (v.kind != FormValidation.Kind.OK) {
-                return v;
+            for (DownloadService.Downloadable d : DownloadService.Downloadable.all()) {
+                FormValidation v = d.updateNow();
+                if (v.kind != FormValidation.Kind.OK) {
+                    return v;
+                }
            }
+            return HttpResponses.forwardToPreviousPage();
+        } catch(RuntimeException ex) {
+            throw new IOException("Unhandled exception during updates server check", ex);
        }
-        return HttpResponses.forwardToPreviousPage();
    }

    protected String identifyPluginShortName(File t) {

--- a/core/src/main/java/hudson/PluginWrapper.java
+++ b/core/src/main/java/hudson/PluginWrapper.java
@@ -451,6 +451,10 @@ public class PluginWrapper implements Comparable<PluginWrapper>, ModelObject {
     * Enables this plugin next time Jenkins runs.
     */
    public void enable() throws IOException {
+        if (!disableFile.exists()) {
+            LOGGER.log(Level.FINEST, "Plugin {0} has been already enabled. Skipping the enable() operation", getShortName());
+            return;
+        }
        if(!disableFile.delete())
            throw new IOException("Failed to delete "+disableFile);
    }
@@ -527,8 +531,10 @@ public class PluginWrapper implements Comparable<PluginWrapper>, ModelObject {
        List<String> missingDependencies = new ArrayList<String>();
        // make sure dependencies exist
        for (Dependency d : dependencies) {
-            if (parent.getPlugin(d.shortName) == null)
+            PluginWrapper dependency = parent.getPlugin(d.shortName);
+            if (dependency == null || !dependency.isActive()) {
                missingDependencies.add(d.toString());
+            }
        }
        if (!missingDependencies.isEmpty())
            throw new IOException("Dependency "+Util.join(missingDependencies, ", ")+" doesn't exist");

--- a/core/src/main/java/hudson/model/CauseAction.java
+++ b/core/src/main/java/hudson/model/CauseAction.java
@@ -187,7 +187,7 @@ public class CauseAction implements FoldableAction, RunAction2 {
                    ca.causeBag = new LinkedHashMap<>();
                }
                ca.addCauses(ca.causes);
-                OldDataMonitor.report(context, "1.653");
+                OldDataMonitor.report(context, " 1.651.2");
                ca.causes = null;
            }
        }

--- a/core/src/main/java/hudson/model/ParametersAction.java
+++ b/core/src/main/java/hudson/model/ParametersAction.java
@@ -46,6 +46,7 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
+import java.util.TreeSet;
 import java.util.logging.Level;
 import java.util.logging.Logger;

@@ -73,7 +74,7 @@ public class ParametersAction implements RunAction2, Iterable<ParameterValue>, Q
    public static final String SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME = ParametersAction.class.getName() +
            ".safeParameters";

-    private transient List<String> safeParameters;
+    private Set<String> safeParameters;

    private final List<ParameterValue> parameters;

@@ -89,6 +90,29 @@ public class ParametersAction implements RunAction2, Iterable<ParameterValue>, Q

    public ParametersAction(List<ParameterValue> parameters) {
        this.parameters = parameters;
+        String paramNames = System.getProperty(SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME);
+        safeParameters = new TreeSet<>();
+        if (paramNames != null) {
+            safeParameters.addAll(Arrays.asList(paramNames.split(",")));
+        }
+    }
+
+    /**
+     * Constructs a new action with additional safe parameters.
+     * The additional safe parameters should be only those considered safe to override the environment
+     * and what is declared in the project config in addition to those specified by the user in
+     * {@link #SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME}.
+     * See <a href="https://issues.jenkins-ci.org/browse/SECURITY-170">SECURITY-170</a>
+     *
+     * @param parameters the parameters
+     * @param additionalSafeParameters additional safe parameters
+     * @since TODO
+     */
+    public ParametersAction(List<ParameterValue> parameters, Collection<String> additionalSafeParameters) {
+        this(parameters);
+        if (additionalSafeParameters != null) {
+            safeParameters.addAll(additionalSafeParameters);
+        }
    }
    
    public ParametersAction(ParameterValue... parameters) {
@@ -202,7 +226,9 @@ public class ParametersAction implements RunAction2, Iterable<ParameterValue>, Q
    @Nonnull
    public ParametersAction createUpdated(Collection<? extends ParameterValue> overrides) {
        if(overrides == null) {
-            return new ParametersAction(parameters);
+            ParametersAction parametersAction = new ParametersAction(parameters);
+            parametersAction.safeParameters = this.safeParameters;
+            return parametersAction;
        }
        List<ParameterValue> combinedParameters = newArrayList(overrides);
        Set<String> names = newHashSet();
@@ -219,7 +245,7 @@ public class ParametersAction implements RunAction2, Iterable<ParameterValue>, Q
            }
        }

-        return new ParametersAction(combinedParameters);
+        return new ParametersAction(combinedParameters, this.safeParameters);
    }

    /*
@@ -230,14 +256,27 @@ public class ParametersAction implements RunAction2, Iterable<ParameterValue>, Q
    @Nonnull
    public ParametersAction merge(@CheckForNull ParametersAction overrides) {
        if (overrides == null) {
-            return new ParametersAction(parameters);
+            ParametersAction parametersAction = new ParametersAction(parameters, this.safeParameters);
+            return parametersAction;
        }
-        return createUpdated(overrides.parameters);
+        ParametersAction parametersAction = createUpdated(overrides.parameters);
+        Set<String> safe = new TreeSet<>();
+        if (parametersAction.safeParameters != null && this.safeParameters != null) {
+            safe.addAll(this.safeParameters);
+        }
+        if (overrides.safeParameters != null) {
+            safe.addAll(overrides.safeParameters);
+        }
+        parametersAction.safeParameters = safe;
+        return parametersAction;
    }

    private Object readResolve() {
        if (build != null)
            OldDataMonitor.report(build, "1.283");
+        if (safeParameters == null) {
+            safeParameters = Collections.emptySet();
+        }
        return this;
    }

@@ -301,14 +340,6 @@ public class ParametersAction implements RunAction2, Iterable<ParameterValue>, Q
    }

    private boolean isSafeParameter(String name) {
-        if (safeParameters == null) {
-            String paramNames = System.getProperty(SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME);
-            if (paramNames != null) {
-                safeParameters = Arrays.asList(paramNames.split(","));
-            } else {
-                safeParameters = Collections.emptyList();
-            }
-        }
        return safeParameters.contains(name);
    }


--- a/core/src/main/java/hudson/model/Run.java
+++ b/core/src/main/java/hudson/model/Run.java
@@ -2394,7 +2394,7 @@ public abstract class Run <JobT extends Job<JobT,RunT>,RunT extends Run<JobT,Run
        public String getEntryID(Run entry) {
            return "tag:" + "hudson.dev.java.net,"
                + entry.getTimestamp().get(Calendar.YEAR) + ":"
-                + entry.getParent().getName()+':'+entry.getId();
+                + entry.getParent().getFullName()+':'+entry.getId();
        }

        public String getEntryDescription(Run entry) {

--- a/core/src/main/java/jenkins/util/JSONSignatureValidator.java
+++ b/core/src/main/java/jenkins/util/JSONSignatureValidator.java
@@ -82,7 +82,11 @@ public class JSONSignatureValidator {

            // this is for computing a signature
            Signature sig = Signature.getInstance("SHA1withRSA");
-            sig.initVerify(certs.get(0));
+            if (certs.isEmpty()) {
+                return FormValidation.error("No certificate found in %s. Cannot verify the signature", name);
+            } else {    
+                sig.initVerify(certs.get(0));
+            }
            SignatureOutputStream sos = new SignatureOutputStream(sig);

            // until JENKINS-11110 fix, UC used to serve invalid digest (and therefore unverifiable signature)

--- a/core/src/main/resources/hudson/PluginManager/_table.js
+++ b/core/src/main/resources/hudson/PluginManager/_table.js
@@ -173,6 +173,12 @@ Behaviour.specify("#filter-box", '_table', 0, function(e) {
        
        function setEnableWidgetStates() {
            for (var i = 0; i < pluginTRs.length; i++) {
+                var pluginMetadata = pluginTRs[i].jenkinsPluginMetadata;
+                if (pluginTRs[i].hasClassName('has-dependants-but-disabled')) {
+                    if (pluginMetadata.enableInput.checked) {
+                        pluginTRs[i].removeClassName('has-dependants-but-disabled');
+                        }
+                }
                markAllDependantsDisabled(pluginTRs[i]);
                markHasDisabledDependencies(pluginTRs[i]);
            }

--- a/core/src/main/resources/hudson/PluginManager/installed.jelly
+++ b/core/src/main/resources/hudson/PluginManager/installed.jelly
@@ -68,7 +68,7 @@ THE SOFTWARE.
                <th width="1">${%Uninstall}</th>
              </tr>
              <j:forEach var="p" items="${app.pluginManager.plugins}">
-                <tr class="plugin ${p.hasDependants()?'has-dependants':''} ${p.isDeleted()?'deleted':''}" data-plugin-id="${p.shortName}" data-plugin-name="${p.displayName}">
+                <tr class="plugin ${p.hasDependants()?'has-dependants':''} ${(p.hasDependants() &amp;&amp; !p.enabled)?'has-dependants-but-disabled':''} ${p.isDeleted()?'deleted':''}" data-plugin-id="${p.shortName}" data-plugin-name="${p.displayName}">
                  <j:set var="state" value="${p.enabled?'true':null}"/>
                  <td class="center pane enable" data="${state}">
                    <input type="checkbox" checked="${state}" onclick="flip(event)"

--- a/pom.xml
+++ b/pom.xml
@@ -158,7 +158,7 @@ THE SOFTWARE.
        <artifactId>mockito-core</artifactId>
        <version>1.10.19</version>
      </dependency>
-      
+
      <dependency>
        <groupId>org.powermock</groupId>
        <artifactId>powermock-module-junit4</artifactId>
@@ -179,7 +179,7 @@ THE SOFTWARE.
      <dependency>
        <groupId>org.jenkins-ci.main</groupId>
        <artifactId>remoting</artifactId>
-        <version>2.57</version>
+        <version>2.59</version>
      </dependency>

      <dependency>
@@ -630,7 +630,7 @@ THE SOFTWARE.
        <configuration>
          <source>1.${java.level}</source>
          <target>1.${java.level}</target>
-          <!-- default reuseCreated is more performant 
+          <!-- default reuseCreated is more performant
          feel free to uncomment if you have any issues on your platform
          <compilerReuseStrategy>alwaysNew</compilerReuseStrategy>
          -->

--- a/test/src/test/java/hudson/model/ParametersActionTest2.java
+++ b/test/src/test/java/hudson/model/ParametersActionTest2.java
@@ -10,6 +10,7 @@ import org.jvnet.hudson.test.recipes.LocalData;

 import java.io.IOException;
 import java.util.Arrays;
+import java.util.Collection;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -149,6 +150,100 @@ public class ParametersActionTest2 {
        }
    }

+    @Test
+    @Issue("SECURITY-170")
+    public void whitelistedParameterByOverride() throws Exception {
+        FreeStyleProject p = j.createFreeStyleProject();
+        String name = p.getFullName();
+        p.addProperty(new ParametersDefinitionProperty(Arrays.<ParameterDefinition>asList(
+                new StringParameterDefinition("foo", "foo"),
+                new StringParameterDefinition("bar", "bar"))));
+
+        try {
+            ParametersAction action = new ParametersAction(
+                    Arrays.<ParameterValue>asList(
+                        new StringParameterValue("foo", "baz"),
+                        new StringParameterValue("bar", "bar"),
+                        new StringParameterValue("whitelisted1", "x"),
+                        new StringParameterValue("whitelisted2", "y"),
+                        new StringParameterValue("whitelisted3", "y")
+                                                 ),
+                    Arrays.asList("whitelisted1", "whitelisted2"));
+            FreeStyleBuild build = j.assertBuildStatusSuccess(p.scheduleBuild2(0, new Cause.UserIdCause(), action));
+
+            assertTrue("whitelisted1 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted1"));
+            assertTrue("whitelisted2 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted2"));
+            assertFalse("whitelisted3 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted3"));
+            p = null;
+            build = null;
+            j.jenkins.reload();
+            //Test again after reload
+            p = j.jenkins.getItemByFullName(name, FreeStyleProject.class);
+            build = p.getLastBuild();
+            assertTrue("whitelisted1 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted1"));
+            assertTrue("whitelisted2 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted2"));
+            assertFalse("whitelisted3 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted3"));
+        } finally {
+            System.clearProperty(ParametersAction.SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME);
+        }
+    }
+
+    @Test
+    @Issue("SECURITY-170")
+    public void whitelistedParameterSameAfterChange() throws Exception {
+        FreeStyleProject p = j.createFreeStyleProject();
+        String name = p.getFullName();
+        p.addProperty(new ParametersDefinitionProperty(Arrays.<ParameterDefinition>asList(
+                new StringParameterDefinition("foo", "foo"),
+                new StringParameterDefinition("bar", "bar"))));
+
+        try {
+            System.setProperty(ParametersAction.SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME, "whitelisted1,whitelisted2");
+            FreeStyleBuild build = j.assertBuildStatusSuccess(p.scheduleBuild2(0, new Cause.UserIdCause(), new ParametersAction(
+                    new StringParameterValue("foo", "baz"),
+                    new StringParameterValue("bar", "bar"),
+                    new StringParameterValue("whitelisted1", "x"),
+                    new StringParameterValue("whitelisted2", "y"),
+                    new StringParameterValue("whitelisted3", "z"),
+                    new StringParameterValue("whitelisted4", "w")
+            )));
+            assertTrue("whitelisted1 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted1"));
+            assertTrue("whitelisted2 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted2"));
+            assertFalse("whitelisted3 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted3"));
+            assertFalse("whitelisted4 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted4"));
+
+            System.setProperty(ParametersAction.SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME, "whitelisted3,whitelisted4");
+            p = null;
+            build = null;
+            j.jenkins.reload();
+            p = j.jenkins.getItemByFullName(name, FreeStyleProject.class);
+            build = p.getLastBuild();
+            assertTrue("whitelisted1 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted1"));
+            assertTrue("whitelisted2 parameter is listed in getParameters",
+                       hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted2"));
+            assertFalse("whitelisted3 parameter is listed in getParameters",
+                        hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted3"));
+            assertFalse("whitelisted4 parameter is listed in getParameters",
+                        hasParameterWithName(build.getAction(ParametersAction.class), "whitelisted4"));
+
+        } finally {
+            System.clearProperty(ParametersAction.SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME);
+        }
+    }
+
+
+
    @Test
    @Issue("SECURITY-170")
    public void nonParameterizedJob() throws Exception {
@@ -194,6 +289,7 @@ public class ParametersActionTest2 {
        return false;
    }

+
    public static class ParametersCheckBuilder extends Builder {

        private final boolean expectLegacyBehavior;

--- a/war/src/main/webapp/css/style.css
+++ b/war/src/main/webapp/css/style.css
@@ -1349,6 +1349,12 @@ TABLE.fingerprint-in-build TD {
  opacity: 0.2;
 }

+#plugins tr.has-dependants-but-disabled .enable input {
+  pointer-events: auto;
+  opacity: 1.0;
+  visibility: visible;
+}
+
 #plugins tr.has-disabled-dependency .enable input {
  opacity: 0.4;
 }