Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
LinuxSuRen
jenkins
提交
fe9091fc
J
jenkins
项目概览
LinuxSuRen
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
fe9091fc
编写于
1月 11, 2021
作者:
J
Jeff Thompson
提交者:
Jenkins CERT CI
1月 11, 2021
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[SECURITY-2047]
上级
a890d686
变更
3
显示空白变更内容
内联
并排
Showing
3 changed file
with
115 addition
and
14 deletion
+115
-14
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/java/jenkins/model/Jenkins.java
+23
-14
test/src/test/java/jenkins/model/JenkinsSEC2047Test.java
test/src/test/java/jenkins/model/JenkinsSEC2047Test.java
+83
-0
test/src/test/resources/jenkins/model/JenkinsSEC2047Test/ProtectedRootAction/index.jelly
.../model/JenkinsSEC2047Test/ProtectedRootAction/index.jelly
+9
-0
未找到文件。
core/src/main/java/jenkins/model/Jenkins.java
浏览文件 @
fe9091fc
...
...
@@ -4851,7 +4851,7 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
*/
public
boolean
isSubjectToMandatoryReadPermissionCheck
(
String
restOfPath
)
{
for
(
String
name
:
ALWAYS_READABLE_PATHS
)
{
if
(
restOfPath
.
startsWith
(
name
))
{
if
(
restOfPath
.
startsWith
(
"/"
+
name
+
"/"
)
||
restOfPath
.
equals
(
"/"
+
name
))
{
return
false
;
}
}
...
...
@@ -5393,19 +5393,28 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
*
* <p>See also:{@link #getUnprotectedRootActions}.
*/
private
static
final
ImmutableSet
<
String
>
ALWAYS_READABLE_PATHS
=
ImmutableSet
.
of
(
"/login"
,
"/logout"
,
"/accessDenied"
,
"/adjuncts/"
,
"/error"
,
"/oops"
,
"/signup"
,
"/tcpSlaveAgentListener"
,
"/federatedLoginService/"
,
"/securityRealm"
,
"/instance-identity"
);
private
static
final
Set
<
String
>
ALWAYS_READABLE_PATHS
=
new
HashSet
<>(
ImmutableSet
.
of
(
"login"
,
"loginError"
,
"logout"
,
"accessDenied"
,
"adjuncts"
,
"error"
,
"oops"
,
"signup"
,
"tcpSlaveAgentListener"
,
"federatedLoginService"
,
"securityRealm"
,
"instance-identity"
));
static
{
final
String
paths
=
SystemProperties
.
getString
(
Jenkins
.
class
.
getName
()
+
".additionalReadablePaths"
);
if
(
paths
!=
null
)
{
LOGGER
.
log
(
INFO
,
"SECURITY-2047 override: Adding the following paths to ALWAYS_READABLE_PATHS: "
+
paths
);
ALWAYS_READABLE_PATHS
.
addAll
(
Arrays
.
stream
(
paths
.
split
(
","
)).
map
(
String:
:
trim
).
collect
(
Collectors
.
toSet
()));
}
}
/**
* {@link Authentication} object that represents the anonymous user.
...
...
test/src/test/java/jenkins/model/JenkinsSEC2047Test.java
0 → 100644
浏览文件 @
fe9091fc
package
jenkins.model
;
import
com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException
;
import
com.gargoylesoftware.htmlunit.html.HtmlPage
;
import
hudson.model.RootAction
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.jvnet.hudson.test.JenkinsRule.WebClient
;
import
org.jvnet.hudson.test.MockAuthorizationStrategy
;
import
org.jvnet.hudson.test.TestExtension
;
import
static
org
.
hamcrest
.
MatcherAssert
.
assertThat
;
import
static
org
.
hamcrest
.
Matchers
.
containsString
;
import
static
org
.
hamcrest
.
Matchers
.
is
;
import
static
org
.
junit
.
Assert
.
fail
;
//TODO merge back to JenkinsTest (or put it somewhere else)
public
class
JenkinsSEC2047Test
{
@Rule
public
JenkinsRule
j
=
new
JenkinsRule
();
@Issue
(
"SECURITY-2047"
)
@Test
public
void
testLogin123
()
throws
Exception
{
j
.
jenkins
.
setSecurityRealm
(
j
.
createDummySecurityRealm
());
j
.
jenkins
.
setAuthorizationStrategy
(
new
MockAuthorizationStrategy
());
WebClient
wc
=
j
.
createWebClient
();
try
{
HtmlPage
login123
=
wc
.
goTo
(
"login123"
);
fail
(
"Page should be protected."
);
}
catch
(
FailingHttpStatusCodeException
e
)
{
assertThat
(
e
.
getStatusCode
(),
is
(
403
));
}
}
@Issue
(
"SECURITY-2047"
)
@Test
public
void
testLogin123WithRead
()
throws
Exception
{
j
.
jenkins
.
setSecurityRealm
(
j
.
createDummySecurityRealm
());
j
.
jenkins
.
setAuthorizationStrategy
(
new
MockAuthorizationStrategy
().
grant
(
Jenkins
.
READ
).
everywhere
().
to
(
"bob"
));
WebClient
wc
=
j
.
createWebClient
();
wc
.
login
(
"bob"
);
HtmlPage
login123
=
wc
.
goTo
(
"login123"
);
assertThat
(
login123
.
getWebResponse
().
getStatusCode
(),
is
(
200
));
assertThat
(
login123
.
getWebResponse
().
getContentAsString
(),
containsString
(
"This should be protected"
));
}
@Test
public
void
testLogin
()
throws
Exception
{
j
.
jenkins
.
setSecurityRealm
(
j
.
createDummySecurityRealm
());
j
.
jenkins
.
setAuthorizationStrategy
(
new
MockAuthorizationStrategy
().
grant
(
Jenkins
.
READ
).
everywhere
().
to
(
"bob"
));
WebClient
wc
=
j
.
createWebClient
();
HtmlPage
login
=
wc
.
goTo
(
"login"
);
assertThat
(
login
.
getWebResponse
().
getStatusCode
(),
is
(
200
));
assertThat
(
login
.
getWebResponse
().
getContentAsString
(),
containsString
(
"login"
));
}
@TestExtension
({
"testLogin123"
,
"testLogin123WithRead"
})
public
static
class
ProtectedRootAction
implements
RootAction
{
@Override
public
String
getIconFileName
()
{
return
"document.png"
;
}
@Override
public
String
getDisplayName
()
{
return
"I am PROTECTED"
;
}
@Override
public
String
getUrlName
()
{
return
"login123"
;
}
}
}
test/src/test/resources/jenkins/model/JenkinsSEC2047Test/ProtectedRootAction/index.jelly
0 → 100644
浏览文件 @
fe9091fc
<?jelly escape-by-default='true'?>
<j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout">
<l:layout title="Protected Action">
<l:main-panel>
<h1>Protected Root Action</h1>
<p>This should be protected</p>
</l:main-panel>
</l:layout>
</j:jelly>
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录