Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
18cc8e0e
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
18cc8e0e
编写于
2月 03, 2016
作者:
D
Daniel Beck
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[FIX SECURITY-247] Prevent loading of MethodClosure from XML
上级
536c01bf
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
88 addition
and
0 deletion
+88
-0
core/src/main/java/hudson/util/XStream2.java
core/src/main/java/hudson/util/XStream2.java
+18
-0
test/src/test/java/hudson/util/XStream2Security247Test.java
test/src/test/java/hudson/util/XStream2Security247Test.java
+43
-0
test/src/test/resources/hudson/util/XStream2Security247Test/config.xml
.../resources/hudson/util/XStream2Security247Test/config.xml
+27
-0
未找到文件。
core/src/main/java/hudson/util/XStream2.java
浏览文件 @
18cc8e0e
...
...
@@ -159,6 +159,8 @@ public class XStream2 extends XStream {
// but before reflection-based one kicks in.
registerConverter
(
new
AssociatedConverterImpl
(
this
),
-
10
);
registerConverter
(
new
BlacklistedTypesConverter
(),
PRIORITY_VERY_HIGH
);
// SECURITY-247 defense
registerConverter
(
new
DynamicProxyConverter
(
getMapper
())
{
// SECURITY-105 defense
@Override
public
boolean
canConvert
(
Class
type
)
{
return
/* this precedes NullConverter */
type
!=
null
&&
super
.
canConvert
(
type
);
...
...
@@ -434,4 +436,20 @@ public class XStream2 extends XStream {
}
private
static
class
BlacklistedTypesConverter
implements
Converter
{
@Override
public
void
marshal
(
Object
source
,
HierarchicalStreamWriter
writer
,
MarshallingContext
context
)
{
throw
new
UnsupportedOperationException
(
"Cannot marshal MethodClosure"
);
}
@Override
public
Object
unmarshal
(
HierarchicalStreamReader
reader
,
UnmarshallingContext
context
)
{
throw
new
ConversionException
(
"Cannot load MethodClosure for security reasons"
);
}
@Override
public
boolean
canConvert
(
Class
type
)
{
return
type
!=
null
&&
"org.codehaus.groovy.runtime.MethodClosure"
.
equals
(
type
.
getName
());
}
}
}
test/src/test/java/hudson/util/XStream2Security247Test.java
0 → 100644
浏览文件 @
18cc8e0e
package
hudson.util
;
import
hudson.Functions
;
import
hudson.model.Items
;
import
org.apache.commons.io.FileUtils
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
java.io.File
;
import
static
org
.
junit
.
Assert
.
assertFalse
;
public
class
XStream2Security247Test
{
@Rule
public
JenkinsRule
j
=
new
JenkinsRule
();
@Test
@Issue
(
"SECURITY-247"
)
public
void
dontUnmarshalMethodClosure
()
throws
Exception
{
if
(
Functions
.
isWindows
())
return
;
File
exploitFile
=
new
File
(
"/tmp/jenkins-security247test"
);
try
{
// be extra sure there's no file already
if
(
exploitFile
.
exists
()
&&
!
exploitFile
.
delete
())
{
throw
new
IllegalStateException
(
"file exists and cannot be deleted"
);
}
File
tempJobDir
=
new
File
(
j
.
jenkins
.
getRootDir
(),
"security247"
);
FileUtils
.
copyInputStreamToFile
(
XStream2Security247Test
.
class
.
getResourceAsStream
(
"/hudson/util/XStream2Security247Test/config.xml"
),
new
File
(
tempJobDir
,
"config.xml"
));
try
{
Items
.
load
(
j
.
jenkins
,
tempJobDir
);
}
catch
(
Exception
e
)
{
// ignore
}
assertFalse
(
"no file should be created here"
,
exploitFile
.
exists
());
}
finally
{
exploitFile
.
delete
();
}
}
}
test/src/test/resources/hudson/util/XStream2Security247Test/config.xml
0 → 100644
浏览文件 @
18cc8e0e
<map>
<entry>
<groovy.util.Expando>
<expandoProperties>
<entry>
<string>
hashCode
</string>
<org.codehaus.groovy.runtime.MethodClosure>
<delegate
class=
"groovy.util.Expando"
reference=
"../../../.."
/>
<owner
class=
"java.lang.ProcessBuilder"
>
<command>
<string>
touch
</string>
<string>
/tmp/jenkins-security247test
</string>
</command>
<redirectErrorStream>
false
</redirectErrorStream>
</owner>
<resolveStrategy>
0
</resolveStrategy>
<directive>
0
</directive>
<parameterTypes/>
<maximumNumberOfParameters>
0
</maximumNumberOfParameters>
<method>
start
</method>
</org.codehaus.groovy.runtime.MethodClosure>
</entry>
</expandoProperties>
</groovy.util.Expando>
<int>
1
</int>
</entry>
</map>
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录