Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
054a329c
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
054a329c
编写于
11月 04, 2015
作者:
J
Jesse Glick
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[SECURITY-206] Need to call ChannelConfigurator on JNLP slave channels.
上级
574a0e7a
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
31 addition
and
0 deletion
+31
-0
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
.../src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
+5
-0
test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
...est/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
+26
-0
未找到文件。
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
浏览文件 @
054a329c
...
@@ -9,6 +9,7 @@ import hudson.remoting.Engine;
...
@@ -9,6 +9,7 @@ import hudson.remoting.Engine;
import
hudson.slaves.SlaveComputer
;
import
hudson.slaves.SlaveComputer
;
import
jenkins.AgentProtocol
;
import
jenkins.AgentProtocol
;
import
jenkins.model.Jenkins
;
import
jenkins.model.Jenkins
;
import
jenkins.security.ChannelConfigurator
;
import
jenkins.security.HMACConfidentialKey
;
import
jenkins.security.HMACConfidentialKey
;
import
org.jenkinsci.remoting.nio.NioChannelHub
;
import
org.jenkinsci.remoting.nio.NioChannelHub
;
...
@@ -117,6 +118,10 @@ public class JnlpSlaveAgentProtocol extends AgentProtocol {
...
@@ -117,6 +118,10 @@ public class JnlpSlaveAgentProtocol extends AgentProtocol {
try
{
try
{
ChannelBuilder
cb
=
createChannelBuilder
(
nodeName
);
ChannelBuilder
cb
=
createChannelBuilder
(
nodeName
);
for
(
ChannelConfigurator
cc
:
ChannelConfigurator
.
all
())
{
cc
.
onChannelBuilding
(
cb
,
computer
);
}
computer
.
setChannel
(
cb
.
withHeaderStream
(
log
).
build
(
socket
),
log
,
computer
.
setChannel
(
cb
.
withHeaderStream
(
log
).
build
(
socket
),
log
,
new
Listener
()
{
new
Listener
()
{
@Override
@Override
...
...
test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
浏览文件 @
054a329c
...
@@ -26,13 +26,17 @@ package hudson.bugs;
...
@@ -26,13 +26,17 @@ package hudson.bugs;
import
com.gargoylesoftware.htmlunit.Page
;
import
com.gargoylesoftware.htmlunit.Page
;
import
com.gargoylesoftware.htmlunit.html.HtmlPage
;
import
com.gargoylesoftware.htmlunit.html.HtmlPage
;
import
com.gargoylesoftware.htmlunit.xml.XmlPage
;
import
com.gargoylesoftware.htmlunit.xml.XmlPage
;
import
hudson.cli.util.ScriptLoader
;
import
hudson.model.Node.Mode
;
import
hudson.model.Node.Mode
;
import
hudson.model.Slave
;
import
hudson.model.Slave
;
import
hudson.remoting.Channel
;
import
hudson.remoting.Launcher
;
import
hudson.remoting.Launcher
;
import
hudson.remoting.Which
;
import
hudson.remoting.Which
;
import
hudson.slaves.JNLPLauncher
;
import
hudson.slaves.JNLPLauncher
;
import
hudson.slaves.RetentionStrategy
;
import
hudson.slaves.RetentionStrategy
;
import
hudson.slaves.DumbSlave
;
import
hudson.slaves.DumbSlave
;
import
jenkins.security.MasterToSlaveCallable
;
import
jenkins.security.s2m.AdminWhitelistRule
;
import
org.dom4j.Document
;
import
org.dom4j.Document
;
import
org.dom4j.Element
;
import
org.dom4j.Element
;
import
org.dom4j.io.DOMReader
;
import
org.dom4j.io.DOMReader
;
...
@@ -41,6 +45,7 @@ import org.jvnet.hudson.test.HudsonTestCase;
...
@@ -41,6 +45,7 @@ import org.jvnet.hudson.test.HudsonTestCase;
import
org.jvnet.hudson.test.recipes.PresetData
;
import
org.jvnet.hudson.test.recipes.PresetData
;
import
org.jvnet.hudson.test.recipes.PresetData.DataSet
;
import
org.jvnet.hudson.test.recipes.PresetData.DataSet
;
import
java.io.File
;
import
java.net.HttpURLConnection
;
import
java.net.HttpURLConnection
;
import
java.net.URL
;
import
java.net.URL
;
import
java.util.Collections
;
import
java.util.Collections
;
...
@@ -112,6 +117,16 @@ public class JnlpAccessWithSecuredHudsonTest extends HudsonTestCase {
...
@@ -112,6 +117,16 @@ public class JnlpAccessWithSecuredHudsonTest extends HudsonTestCase {
for
(
int
i
=
0
;
i
<
/* one minute */
600
;
i
++)
{
for
(
int
i
=
0
;
i
<
/* one minute */
600
;
i
++)
{
if
(
slave
.
getComputer
().
isOnline
())
{
if
(
slave
.
getComputer
().
isOnline
())
{
System
.
err
.
println
(
"JNLP slave successfully connected"
);
System
.
err
.
println
(
"JNLP slave successfully connected"
);
Channel
channel
=
slave
.
getComputer
().
getChannel
();
assertFalse
(
"SECURITY-206"
,
channel
.
isRemoteClassLoadingAllowed
());
jenkins
.
getExtensionList
(
AdminWhitelistRule
.
class
).
get
(
AdminWhitelistRule
.
class
).
setMasterKillSwitch
(
false
);
final
File
f
=
new
File
(
jenkins
.
getRootDir
(),
"secrets/master.key"
);
// DefaultConfidentialStore
assertTrue
(
f
.
exists
());
try
{
fail
(
"SECURITY-206: "
+
channel
.
call
(
new
Attack
(
f
.
getAbsolutePath
())));
}
catch
(
SecurityException
x
)
{
System
.
out
.
println
(
"expected: "
+
x
);
}
return
;
return
;
}
}
Thread
.
sleep
(
100
);
Thread
.
sleep
(
100
);
...
@@ -122,4 +137,15 @@ public class JnlpAccessWithSecuredHudsonTest extends HudsonTestCase {
...
@@ -122,4 +137,15 @@ public class JnlpAccessWithSecuredHudsonTest extends HudsonTestCase {
}
}
}
}
private
static
class
Attack
extends
MasterToSlaveCallable
<
String
,
Exception
>
{
private
final
String
path
;
Attack
(
String
path
)
{
this
.
path
=
path
;
}
@Override
public
String
call
()
throws
Exception
{
return
Channel
.
current
().
call
(
new
ScriptLoader
(
path
));
}
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录