Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
19e3f219
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
19e3f219
编写于
8月 13, 2019
作者:
D
Daniel Beck
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'security-stable-2.176' into security-master
上级
d5453e0a
91fabe2a
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
140 addition
and
13 deletion
+140
-13
core/src/main/java/hudson/model/UpdateCenter.java
core/src/main/java/hudson/model/UpdateCenter.java
+4
-4
core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
...rc/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
+1
-9
test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerSEC1491Test.java
...a/hudson/security/csrf/DefaultCrumbIssuerSEC1491Test.java
+135
-0
未找到文件。
core/src/main/java/hudson/model/UpdateCenter.java
浏览文件 @
19e3f219
...
...
@@ -1515,7 +1515,7 @@ public class UpdateCenter extends AbstractModelObject implements Saveable, OnMas
if
(
e
.
getMessage
().
contains
(
"Connection timed out"
))
{
// Google can't be down, so this is probably a proxy issue
connectionStates
.
put
(
ConnectionStatus
.
INTERNET
,
ConnectionStatus
.
FAILED
);
statuses
.
add
(
Messages
.
UpdateCenter_Status_ConnectionFailed
(
connectionCheckUrl
));
statuses
.
add
(
Messages
.
UpdateCenter_Status_ConnectionFailed
(
Functions
.
xmlEscape
(
connectionCheckUrl
)
));
return
;
}
}
...
...
@@ -1537,12 +1537,12 @@ public class UpdateCenter extends AbstractModelObject implements Saveable, OnMas
statuses
.
add
(
Messages
.
UpdateCenter_Status_Success
());
}
catch
(
UnknownHostException
e
)
{
connectionStates
.
put
(
ConnectionStatus
.
UPDATE_SITE
,
ConnectionStatus
.
FAILED
);
statuses
.
add
(
Messages
.
UpdateCenter_Status_UnknownHostException
(
e
.
getMessage
(
)));
statuses
.
add
(
Messages
.
UpdateCenter_Status_UnknownHostException
(
Functions
.
xmlEscape
(
e
.
getMessage
()
)));
addStatus
(
e
);
error
=
e
;
}
catch
(
Exception
e
)
{
connectionStates
.
put
(
ConnectionStatus
.
UPDATE_SITE
,
ConnectionStatus
.
FAILED
);
statuses
.
add
(
Functions
.
printThrowable
(
e
)
);
addStatus
(
e
);
error
=
e
;
}
...
...
@@ -1556,7 +1556,7 @@ public class UpdateCenter extends AbstractModelObject implements Saveable, OnMas
}
}
private
void
addStatus
(
UnknownHostException
e
)
{
private
void
addStatus
(
Throwable
e
)
{
statuses
.
add
(
"<pre>"
+
Functions
.
xmlEscape
(
Functions
.
printThrowable
(
e
))+
"</pre>"
);
}
...
...
core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
浏览文件 @
19e3f219
...
...
@@ -91,7 +91,7 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
}
if
(!
EXCLUDE_SESSION_ID
)
{
buffer
.
append
(
';'
);
buffer
.
append
(
getSessionId
(
req
));
buffer
.
append
(
req
.
getSession
().
getId
(
));
}
md
.
update
(
buffer
.
toString
().
getBytes
());
...
...
@@ -101,14 +101,6 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
return
null
;
}
private
String
getSessionId
(
@Nonnull
HttpServletRequest
request
)
{
HttpSession
session
=
request
.
getSession
(
false
);
if
(
session
==
null
)
{
return
"NO_SESSION"
;
}
return
session
.
getId
();
}
/**
* {@inheritDoc}
*/
...
...
test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerSEC1491Test.java
0 → 100644
浏览文件 @
19e3f219
package
hudson.security.csrf
;
import
com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException
;
import
com.gargoylesoftware.htmlunit.HttpMethod
;
import
com.gargoylesoftware.htmlunit.WebRequest
;
import
com.gargoylesoftware.htmlunit.html.HtmlPage
;
import
jenkins.model.Jenkins
;
import
org.junit.Assert
;
import
org.junit.Before
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.jvnet.hudson.test.MockAuthorizationStrategy
;
import
java.net.HttpURLConnection
;
import
java.net.URL
;
import
static
org
.
junit
.
Assert
.
assertEquals
;
import
static
org
.
junit
.
Assert
.
assertNotNull
;
import
static
org
.
junit
.
Assert
.
assertNull
;
import
static
org
.
junit
.
Assert
.
assertTrue
;
import
static
org
.
junit
.
Assert
.
fail
;
//TODO merge back to DefaultCrumbIssuerTest
public
class
DefaultCrumbIssuerSEC1491Test
{
@Rule
public
JenkinsRule
r
=
new
JenkinsRule
();
@Before
public
void
setIssuer
()
{
r
.
jenkins
.
setCrumbIssuer
(
new
DefaultCrumbIssuer
(
false
));
}
@Test
@Issue
(
"SECURITY-1491"
)
public
void
sessionIncludedEvenForAnonymousCall
()
throws
Exception
{
boolean
previousValue
=
DefaultCrumbIssuer
.
EXCLUDE_SESSION_ID
;
try
{
r
.
jenkins
.
setSecurityRealm
(
r
.
createDummySecurityRealm
());
// let anonymous user have read access
MockAuthorizationStrategy
authorizationStrategy
=
new
MockAuthorizationStrategy
();
authorizationStrategy
.
grant
(
Jenkins
.
ADMINISTER
).
everywhere
().
toEveryone
();
r
.
jenkins
.
setAuthorizationStrategy
(
authorizationStrategy
);
DefaultCrumbIssuer
issuer
=
new
DefaultCrumbIssuer
(
true
);
r
.
jenkins
.
setCrumbIssuer
(
issuer
);
DefaultCrumbIssuer
.
EXCLUDE_SESSION_ID
=
true
;
sameCrumbUsedOnDifferentAnonymousRequest_tokenAreEqual
(
true
,
"job_noSession"
);
DefaultCrumbIssuer
.
EXCLUDE_SESSION_ID
=
false
;
sameCrumbUsedOnDifferentAnonymousRequest_tokenAreEqual
(
false
,
"job_session"
);
}
finally
{
DefaultCrumbIssuer
.
EXCLUDE_SESSION_ID
=
previousValue
;
}
}
private
void
sameCrumbUsedOnDifferentAnonymousRequest_tokenAreEqual
(
boolean
areEqual
,
String
namePrefix
)
throws
Exception
{
String
responseForCrumb
=
r
.
createWebClient
().
goTo
(
"crumbIssuer/api/xml?xpath=concat(//crumbRequestField,'=',//crumb)"
,
"text/plain"
)
.
getWebResponse
().
getContentAsString
();
// responseForCrumb = Jenkins-Crumb=xxxx
String
crumb1
=
responseForCrumb
.
substring
(
CrumbIssuer
.
DEFAULT_CRUMB_NAME
.
length
()
+
"="
.
length
());
String
jobName1
=
namePrefix
+
"-test1"
;
String
jobName2
=
namePrefix
+
"-test2"
;
WebRequest
request1
=
createRequestForJobCreation
(
jobName1
);
try
{
r
.
createWebClient
().
getPage
(
request1
);
fail
();
}
catch
(
FailingHttpStatusCodeException
e
)
{
assertTrue
(
e
.
getMessage
().
contains
(
"No valid crumb"
));
}
// cannot create new job due to missing crumb
assertNull
(
r
.
jenkins
.
getItem
(
jobName1
));
WebRequest
request2
=
createRequestForJobCreation
(
jobName2
);
request2
.
setAdditionalHeader
(
CrumbIssuer
.
DEFAULT_CRUMB_NAME
,
crumb1
);
if
(
areEqual
)
{
r
.
createWebClient
().
getPage
(
request2
);
assertNotNull
(
r
.
jenkins
.
getItem
(
jobName2
));
}
else
{
try
{
r
.
createWebClient
().
getPage
(
request2
);
fail
(
"Should have failed due to invalid crumb"
);
}
catch
(
FailingHttpStatusCodeException
e
)
{
assertEquals
(
HttpURLConnection
.
HTTP_FORBIDDEN
,
e
.
getStatusCode
());
// cannot create new job due to invalid crumb
assertNull
(
r
.
jenkins
.
getItem
(
jobName2
));
}
}
}
@Test
@Issue
(
"SECURITY-1491"
)
public
void
twoRequestsWithoutSessionGetDifferentCrumbs
()
throws
Exception
{
String
responseForCrumb
=
r
.
createWebClient
().
goTo
(
"crumbIssuer/api/xml?xpath=concat(//crumbRequestField,'=',//crumb)"
,
"text/plain"
)
.
getWebResponse
().
getContentAsString
();
// responseForCrumb = Jenkins-Crumb=xxxx
String
crumb1
=
responseForCrumb
.
substring
(
CrumbIssuer
.
DEFAULT_CRUMB_NAME
.
length
()
+
"="
.
length
());
responseForCrumb
=
r
.
createWebClient
().
goTo
(
"crumbIssuer/api/xml?xpath=concat(//crumbRequestField,'=',//crumb)"
,
"text/plain"
)
.
getWebResponse
().
getContentAsString
();
// responseForCrumb = Jenkins-Crumb=xxxx
String
crumb2
=
responseForCrumb
.
substring
(
CrumbIssuer
.
DEFAULT_CRUMB_NAME
.
length
()
+
"="
.
length
());
Assert
.
assertNotEquals
(
"should be different crumbs"
,
crumb1
,
crumb2
);
}
private
WebRequest
createRequestForJobCreation
(
String
jobName
)
throws
Exception
{
WebRequest
req
=
new
WebRequest
(
new
URL
(
r
.
getURL
()
+
"createItem?name="
+
jobName
),
HttpMethod
.
POST
);
req
.
setAdditionalHeader
(
"Content-Type"
,
"application/xml"
);
req
.
setRequestBody
(
"<project/>"
);
return
req
;
}
@Test
public
void
anonCanStillPostRequestUsingBrowsers
()
throws
Exception
{
r
.
jenkins
.
setSecurityRealm
(
r
.
createDummySecurityRealm
());
MockAuthorizationStrategy
authorizationStrategy
=
new
MockAuthorizationStrategy
();
authorizationStrategy
.
grant
(
Jenkins
.
ADMINISTER
).
everywhere
().
toEveryone
();
r
.
jenkins
.
setAuthorizationStrategy
(
authorizationStrategy
);
DefaultCrumbIssuer
issuer
=
new
DefaultCrumbIssuer
(
true
);
r
.
jenkins
.
setCrumbIssuer
(
issuer
);
HtmlPage
p
=
r
.
createWebClient
().
goTo
(
"configure"
);
r
.
submit
(
p
.
getFormByName
(
"config"
));
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录