merged back the RC branch

31eeb753 · Kohsuke Kawaguchi · 555d2b1d · 384544c7 · 31eeb753 · 31eeb753
10 changed file
--- a/changelog.html
+++ b/changelog.html
@@ -72,7 +72,10 @@ Upcoming changes</a>

 <!-- these changes are controlled by the release process. DO NOT MODIFY -->
 <div id="rc" style="display:none;"><!--=BEGIN=-->
-<h3><a name=v1.514>What's new in 1.514</a> <!--=DATE=--></h3>
+<h3><a name=v1.515>What's new in 1.515</a> <!--=DATE=--></h3>
+<!--=RC-CHANGES=-->
+</div><!--=END=-->
+<h3><a name=v1.514>What's new in 1.514</a> (2013/05/01)</h3>
 <ul class=image>
  <li class=rfe>
    Added a new <tt>set-build-parameter</tt> command that can update a build variable from within a build.
@@ -95,7 +98,6 @@ Upcoming changes</a>
  <li class=rfe>
    Updated bundled plugins.
 </ul>
-</div><!--=END=-->
 <h3><a name=v1.513>What's new in 1.513</a> (2013/04/28)</h3>
 <ul class=image>
  <li class=rfe>
@@ -108,6 +110,15 @@ Upcoming changes</a>
  <li class=rfe>
    Breadcrumb is reworked to show descendants to provide additional navigational shortcuts.
    (<a href="https://wiki.jenkins-ci.org/display/JENKINS/FOSDEM+UI+Enhancement+discussion+notes+2013">discussion</a>)
+  <li class=bug>
+    Fixed CSRF vulnerabilities
+    (SECURITY-63,SECURITY-69)
+  <li class=bug>
+    Fixed an XSS vulnerability via stylesheet
+    (SECURITY-67)
+  <li class=bug>
+    Fixed an XSS vulnerability to copy arbitrary text into clipboard
+    (SECURITY-71/CVE-2013-1808)
 </ul>
 <h3><a name=v1.512>What's new in 1.512</a> (2013/04/21)</h3>
 <ul class=image>

--- a/core/pom.xml
+++ b/core/pom.xml
@@ -164,7 +164,7 @@ THE SOFTWARE.
    <dependency>
      <groupId>org.kohsuke.stapler</groupId>
      <artifactId>stapler-adjunct-zeroclipboard</artifactId>
-      <version>1.0.7-2</version>
+      <version>1.1.7-1</version>
    </dependency>
    <dependency>
      <groupId>org.kohsuke.stapler</groupId>

--- a/core/src/main/java/hudson/markup/MyspacePolicy.java
+++ b/core/src/main/java/hudson/markup/MyspacePolicy.java
@@ -67,7 +67,6 @@ public class MyspacePolicy {
            tag("img",      "src",ONSITE_OR_OFFSITE_URL,
                            "hspace","vspace");
            tag("iframe",   "src");
-            tag("link",     "type","rel");
            tag("ul,ol,li,dd,dl,dt,thead,tbody,tfoot");
            tag("table",    "noresize");
            tag("td,th,tr");

--- a/core/src/main/java/hudson/model/Computer.java
+++ b/core/src/main/java/hudson/model/Computer.java
@@ -51,8 +51,6 @@ import hudson.slaves.RetentionStrategy;
 import hudson.slaves.WorkspaceList;
 import hudson.slaves.OfflineCause;
 import hudson.slaves.OfflineCause.ByCLI;
-import hudson.tasks.BuildWrapper;
-import hudson.tasks.Publisher;
 import hudson.util.DaemonThreadFactory;
 import hudson.util.EditDistance;
 import hudson.util.ExceptionCatchingThreadFactory;
@@ -1157,20 +1155,7 @@ public /*transient*/ abstract class Computer extends Actionable implements Acces
    }

    protected void _doScript( StaplerRequest req, StaplerResponse rsp, String view) throws IOException, ServletException {
-        // ability to run arbitrary script is dangerous
-        checkPermission(Jenkins.RUN_SCRIPTS);
-
-        String text = req.getParameter("script");
-        if(text!=null) {
-            try {
-                req.setAttribute("output",
-                RemotingDiagnostics.executeGroovy(text,getChannel()));
-            } catch (InterruptedException e) {
-                throw new ServletException(e);
-            }
-        }
-
-        req.getView(this,view).forward(req, rsp);
+        Jenkins._doScript(req, rsp, req.getView(this, view), getChannel(), getACL());
    }

    /**

--- a/core/src/main/java/jenkins/model/Jenkins.java
+++ b/core/src/main/java/jenkins/model/Jenkins.java
@@ -261,6 +261,7 @@ import java.io.InputStream;
 import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.net.BindException;
+import java.net.HttpURLConnection;
 import java.net.URL;
 import java.nio.charset.Charset;
 import java.security.SecureRandom;
@@ -3357,25 +3358,31 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
     * Run arbitrary Groovy script.
     */
    public void doScript(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
-        doScript(req, rsp, req.getView(this, "_script.jelly"));
+        _doScript(req, rsp, req.getView(this, "_script.jelly"), MasterComputer.localChannel, getACL());
    }

    /**
     * Run arbitrary Groovy script and return result as plain text.
     */
    public void doScriptText(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
-        doScript(req, rsp, req.getView(this, "_scriptText.jelly"));
+        _doScript(req, rsp, req.getView(this, "_scriptText.jelly"), MasterComputer.localChannel, getACL());
    }

-    private void doScript(StaplerRequest req, StaplerResponse rsp, RequestDispatcher view) throws IOException, ServletException {
+    /**
+     * @since 1.509.1
+     */
+    public static void _doScript(StaplerRequest req, StaplerResponse rsp, RequestDispatcher view, VirtualChannel channel, ACL acl) throws IOException, ServletException {
        // ability to run arbitrary script is dangerous
-        checkPermission(RUN_SCRIPTS);
+        acl.checkPermission(RUN_SCRIPTS);

        String text = req.getParameter("script");
        if (text != null) {
+            if (!"POST".equals(req.getMethod())) {
+                throw HttpResponses.error(HttpURLConnection.HTTP_BAD_METHOD, "requires POST");
+            }
            try {
                req.setAttribute("output",
-                        RemotingDiagnostics.executeGroovy(text, MasterComputer.localChannel));
+                        RemotingDiagnostics.executeGroovy(text, channel));
            } catch (InterruptedException e) {
                throw new ServletException(e);
            }
@@ -3391,7 +3398,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
     */
    @RequirePOST
    public void doEval(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
-        checkPermission(ADMINISTER);
+        checkPermission(RUN_SCRIPTS);

        try {
            MetaClass mc = WebApp.getCurrent().getMetaClass(getClass());

--- a/core/src/test/java/hudson/markup/MyspacePolicyTest.java
+++ b/core/src/test/java/hudson/markup/MyspacePolicyTest.java
@@ -43,7 +43,7 @@ public class MyspacePolicyTest extends Assert {
        assertReject("script","<script src='relative.js'></script>");

        assertIntact("<style>H1 { display:none; }</style>");
-        assertIntact("<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>");
+        assertReject("link", "<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>");
        assertIntact("<div style='background-color:white'>inline CSS</div>");
        assertIntact("<br><hr>");


--- a/debian/debian/changelog
+++ b/debian/debian/changelog
+jenkins (1.514) unstable; urgency=low
+
+  * See http://jenkins-ci.org/changelog for more details.
+
+ -- Kohsuke Kawaguchi <kk@kohsuke.org>  Wed, 01 May 2013 20:15:32 -0700
+
 jenkins (1.513) unstable; urgency=low

  * See http://jenkins-ci.org/changelog for more details.

--- a/maven-plugin/src/main/java/hudson/maven/MavenProbeAction.java
+++ b/maven-plugin/src/main/java/hudson/maven/MavenProbeAction.java
@@ -97,21 +97,7 @@ public final class MavenProbeAction implements Action {
    }

    public void doScript( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        // ability to run arbitrary script is dangerous,
-        // so tie it to the admin access
-        owner.checkPermission(Jenkins.RUN_SCRIPTS);
-
-        String text = req.getParameter("script");
-        if(text!=null) {
-            try {
-                req.setAttribute("output",
-                RemotingDiagnostics.executeGroovy(text,channel));
-            } catch (InterruptedException e) {
-                throw new ServletException(e);
-            }
-        }
-
-        req.getView(this,"_script.jelly").forward(req,rsp);
+        Jenkins._doScript(req, rsp, req.getView(this, "_script.jelly"), channel, owner.getACL());
    }

    /**

--- a/maven-plugin/src/main/java/hudson/maven/reporters/MavenAbstractArtifactRecord.java
+++ b/maven-plugin/src/main/java/hudson/maven/reporters/MavenAbstractArtifactRecord.java
@@ -65,6 +65,7 @@ import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
+import org.kohsuke.stapler.interceptor.RequirePOST;

 /**
 * UI to redeploy artifacts after the fact.
@@ -208,6 +209,7 @@ public abstract class MavenAbstractArtifactRecord<T extends AbstractBuild<?,?>>
    /**
     * Performs a redeployment.
     */
+    @RequirePOST
    public final HttpResponse doRedeploy(
            @QueryParameter("_.id") final String id,
            @QueryParameter("_.url") final String repositoryUrl,

--- a/test/src/test/java/jenkins/model/JenkinsTest.java
+++ b/test/src/test/java/jenkins/model/JenkinsTest.java
@@ -23,6 +23,9 @@
 */
 package jenkins.model;

+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.HttpMethod;
+import com.gargoylesoftware.htmlunit.WebRequestSettings;
 import com.gargoylesoftware.htmlunit.html.HtmlForm;
 import hudson.maven.MavenModuleSet;
 import hudson.maven.MavenModuleSetBuild;
@@ -32,6 +35,9 @@ import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
 import hudson.util.HttpResponses;
 import junit.framework.Assert;
 import hudson.model.FreeStyleProject;
+import hudson.security.GlobalMatrixAuthorizationStrategy;
+import hudson.security.LegacySecurityRealm;
+import hudson.security.Permission;
 import hudson.util.FormValidation;

 import org.junit.Test;
@@ -41,6 +47,7 @@ import org.jvnet.hudson.test.HudsonTestCase;
 import org.jvnet.hudson.test.TestExtension;
 import org.kohsuke.stapler.HttpResponse;
 import java.net.HttpURLConnection;
+import java.net.URL;

 /**
 * @author kingfai
@@ -237,6 +244,75 @@ public class JenkinsTest extends HudsonTestCase {
        assertEquals(3,jenkins.getExtensionList(RootAction.class).get(RootActionImpl.class).count);
    }

+    public void testDoScript() throws Exception {
+        jenkins.setSecurityRealm(new LegacySecurityRealm());
+        GlobalMatrixAuthorizationStrategy gmas = new GlobalMatrixAuthorizationStrategy() {
+            @Override public boolean hasPermission(String sid, Permission p) {
+                return p == Jenkins.RUN_SCRIPTS ? hasExplicitPermission(sid, p) : super.hasPermission(sid, p);
+            }
+        };
+        gmas.add(Jenkins.ADMINISTER, "alice");
+        gmas.add(Jenkins.RUN_SCRIPTS, "alice");
+        gmas.add(Jenkins.READ, "bob");
+        gmas.add(Jenkins.ADMINISTER, "charlie");
+        jenkins.setAuthorizationStrategy(gmas);
+        WebClient wc = createWebClient();
+        wc.login("alice");
+        wc.goTo("script");
+        wc.assertFails("script?script=System.setProperty('hack','me')", HttpURLConnection.HTTP_BAD_METHOD);
+        assertNull(System.getProperty("hack"));
+        WebRequestSettings req = new WebRequestSettings(new URL(wc.getContextPath() + "script?script=System.setProperty('hack','me')"), HttpMethod.POST);
+        wc.getPage(wc.addCrumb(req));
+        assertEquals("me", System.getProperty("hack"));
+        wc.assertFails("scriptText?script=System.setProperty('hack','me')", HttpURLConnection.HTTP_BAD_METHOD);
+        req = new WebRequestSettings(new URL(wc.getContextPath() + "scriptText?script=System.setProperty('huck','you')"), HttpMethod.POST);
+        wc.getPage(wc.addCrumb(req));
+        assertEquals("you", System.getProperty("huck"));
+        wc.login("bob");
+        wc.assertFails("script", HttpURLConnection.HTTP_FORBIDDEN);
+        wc.login("charlie");
+        wc.assertFails("script", HttpURLConnection.HTTP_FORBIDDEN);
+    }
+
+    public void testDoEval() throws Exception {
+        jenkins.setSecurityRealm(new LegacySecurityRealm());
+        GlobalMatrixAuthorizationStrategy gmas = new GlobalMatrixAuthorizationStrategy() {
+            @Override public boolean hasPermission(String sid, Permission p) {
+                return p == Jenkins.RUN_SCRIPTS ? hasExplicitPermission(sid, p) : super.hasPermission(sid, p);
+            }
+        };
+        gmas.add(Jenkins.ADMINISTER, "alice");
+        gmas.add(Jenkins.RUN_SCRIPTS, "alice");
+        gmas.add(Jenkins.READ, "bob");
+        gmas.add(Jenkins.ADMINISTER, "charlie");
+        jenkins.setAuthorizationStrategy(gmas);
+        // Otherwise get "RuntimeException: Trying to set the request parameters, but the request body has already been specified;the two are mutually exclusive!" from WebRequestSettings.setRequestParameters when POSTing content:
+        jenkins.setCrumbIssuer(null);
+        WebClient wc = createWebClient();
+        wc.login("alice");
+        wc.assertFails("eval", HttpURLConnection.HTTP_INTERNAL_ERROR);
+        assertEquals("3", eval(wc));
+        wc.login("bob");
+        try {
+            eval(wc);
+            fail("bob has only READ");
+        } catch (FailingHttpStatusCodeException e) {
+            assertEquals(HttpURLConnection.HTTP_FORBIDDEN, e.getStatusCode());
+        }
+        wc.login("charlie");
+        try {
+            eval(wc);
+            fail("charlie has ADMINISTER but not RUN_SCRIPTS");
+        } catch (FailingHttpStatusCodeException e) {
+            assertEquals(HttpURLConnection.HTTP_FORBIDDEN, e.getStatusCode());
+        }
+    }
+    private String eval(WebClient wc) throws Exception {
+        WebRequestSettings req = new WebRequestSettings(new URL(wc.getContextPath() + "eval"), HttpMethod.POST);
+        req.setRequestBody("<j:jelly xmlns:j='jelly:core'>${1+2}</j:jelly>");
+        return wc.getPage(/*wc.addCrumb(*/req/*)*/).getWebResponse().getContentAsString();
+    }
+
    @TestExtension("testUnprotectedRootAction")
    public static class RootActionImpl implements UnprotectedRootAction {
        private int count;