Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
3bbb65df
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
3bbb65df
编写于
4月 24, 2013
作者:
J
Jesse Glick
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[SECURITY-63] Require POST for running Groovy scripts.
上级
64ff0470
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
50 addition
and
36 deletion
+50
-36
core/src/main/java/hudson/model/Computer.java
core/src/main/java/hudson/model/Computer.java
+1
-16
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/java/jenkins/model/Jenkins.java
+12
-5
maven-plugin/src/main/java/hudson/maven/MavenProbeAction.java
...n-plugin/src/main/java/hudson/maven/MavenProbeAction.java
+1
-15
test/src/test/java/jenkins/model/JenkinsTest.java
test/src/test/java/jenkins/model/JenkinsTest.java
+36
-0
未找到文件。
core/src/main/java/hudson/model/Computer.java
浏览文件 @
3bbb65df
...
...
@@ -50,8 +50,6 @@ import hudson.slaves.RetentionStrategy;
import
hudson.slaves.WorkspaceList
;
import
hudson.slaves.OfflineCause
;
import
hudson.slaves.OfflineCause.ByCLI
;
import
hudson.tasks.BuildWrapper
;
import
hudson.tasks.Publisher
;
import
hudson.util.DaemonThreadFactory
;
import
hudson.util.EditDistance
;
import
hudson.util.ExceptionCatchingThreadFactory
;
...
...
@@ -1130,20 +1128,7 @@ public /*transient*/ abstract class Computer extends Actionable implements Acces
}
protected
void
_doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
,
String
view
)
throws
IOException
,
ServletException
{
// ability to run arbitrary script is dangerous
checkPermission
(
Jenkins
.
RUN_SCRIPTS
);
String
text
=
req
.
getParameter
(
"script"
);
if
(
text
!=
null
)
{
try
{
req
.
setAttribute
(
"output"
,
RemotingDiagnostics
.
executeGroovy
(
text
,
getChannel
()));
}
catch
(
InterruptedException
e
)
{
throw
new
ServletException
(
e
);
}
}
req
.
getView
(
this
,
view
).
forward
(
req
,
rsp
);
Jenkins
.
_doScript
(
req
,
rsp
,
req
.
getView
(
this
,
view
),
getChannel
(),
getACL
());
}
/**
...
...
core/src/main/java/jenkins/model/Jenkins.java
浏览文件 @
3bbb65df
...
...
@@ -260,6 +260,7 @@ import java.io.InputStream;
import
java.io.PrintWriter
;
import
java.io.StringWriter
;
import
java.net.BindException
;
import
java.net.HttpURLConnection
;
import
java.net.URL
;
import
java.nio.charset.Charset
;
import
java.security.SecureRandom
;
...
...
@@ -3361,25 +3362,31 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
* Run arbitrary Groovy script.
*/
public
void
doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_script.jelly"
));
_doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_script.jelly"
),
MasterComputer
.
localChannel
,
getACL
(
));
}
/**
* Run arbitrary Groovy script and return result as plain text.
*/
public
void
doScriptText
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_scriptText.jelly"
));
_doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_scriptText.jelly"
),
MasterComputer
.
localChannel
,
getACL
(
));
}
private
void
doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
,
RequestDispatcher
view
)
throws
IOException
,
ServletException
{
/**
* @since 1.509.1
*/
public
static
void
_doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
,
RequestDispatcher
view
,
VirtualChannel
channel
,
ACL
acl
)
throws
IOException
,
ServletException
{
// ability to run arbitrary script is dangerous
checkPermission
(
RUN_SCRIPTS
);
acl
.
checkPermission
(
RUN_SCRIPTS
);
String
text
=
req
.
getParameter
(
"script"
);
if
(
text
!=
null
)
{
if
(!
"POST"
.
equals
(
req
.
getMethod
()))
{
throw
HttpResponses
.
error
(
HttpURLConnection
.
HTTP_BAD_METHOD
,
"requires POST"
);
}
try
{
req
.
setAttribute
(
"output"
,
RemotingDiagnostics
.
executeGroovy
(
text
,
MasterComputer
.
localC
hannel
));
RemotingDiagnostics
.
executeGroovy
(
text
,
c
hannel
));
}
catch
(
InterruptedException
e
)
{
throw
new
ServletException
(
e
);
}
...
...
maven-plugin/src/main/java/hudson/maven/MavenProbeAction.java
浏览文件 @
3bbb65df
...
...
@@ -97,21 +97,7 @@ public final class MavenProbeAction implements Action {
}
public
void
doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
// ability to run arbitrary script is dangerous,
// so tie it to the admin access
owner
.
checkPermission
(
Jenkins
.
RUN_SCRIPTS
);
String
text
=
req
.
getParameter
(
"script"
);
if
(
text
!=
null
)
{
try
{
req
.
setAttribute
(
"output"
,
RemotingDiagnostics
.
executeGroovy
(
text
,
channel
));
}
catch
(
InterruptedException
e
)
{
throw
new
ServletException
(
e
);
}
}
req
.
getView
(
this
,
"_script.jelly"
).
forward
(
req
,
rsp
);
Jenkins
.
_doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_script.jelly"
),
channel
,
owner
.
getACL
());
}
/**
...
...
test/src/test/java/jenkins/model/JenkinsTest.java
浏览文件 @
3bbb65df
...
...
@@ -23,6 +23,8 @@
*/
package
jenkins.model
;
import
com.gargoylesoftware.htmlunit.HttpMethod
;
import
com.gargoylesoftware.htmlunit.WebRequestSettings
;
import
com.gargoylesoftware.htmlunit.html.HtmlForm
;
import
hudson.maven.MavenModuleSet
;
import
hudson.maven.MavenModuleSetBuild
;
...
...
@@ -32,6 +34,9 @@ import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
import
hudson.util.HttpResponses
;
import
junit.framework.Assert
;
import
hudson.model.FreeStyleProject
;
import
hudson.security.GlobalMatrixAuthorizationStrategy
;
import
hudson.security.LegacySecurityRealm
;
import
hudson.security.Permission
;
import
hudson.util.FormValidation
;
import
org.junit.Test
;
...
...
@@ -41,6 +46,7 @@ import org.jvnet.hudson.test.HudsonTestCase;
import
org.jvnet.hudson.test.TestExtension
;
import
org.kohsuke.stapler.HttpResponse
;
import
java.net.HttpURLConnection
;
import
java.net.URL
;
/**
* @author kingfai
...
...
@@ -209,6 +215,36 @@ public class JenkinsTest extends HudsonTestCase {
assertEquals
(
3
,
jenkins
.
getExtensionList
(
RootAction
.
class
).
get
(
RootActionImpl
.
class
).
count
);
}
public
void
testDoScript
()
throws
Exception
{
jenkins
.
setSecurityRealm
(
new
LegacySecurityRealm
());
GlobalMatrixAuthorizationStrategy
gmas
=
new
GlobalMatrixAuthorizationStrategy
()
{
@Override
public
boolean
hasPermission
(
String
sid
,
Permission
p
)
{
return
p
==
Jenkins
.
RUN_SCRIPTS
?
hasExplicitPermission
(
sid
,
p
)
:
super
.
hasPermission
(
sid
,
p
);
}
};
gmas
.
add
(
Jenkins
.
ADMINISTER
,
"alice"
);
gmas
.
add
(
Jenkins
.
RUN_SCRIPTS
,
"alice"
);
gmas
.
add
(
Jenkins
.
READ
,
"bob"
);
gmas
.
add
(
Jenkins
.
ADMINISTER
,
"charlie"
);
jenkins
.
setAuthorizationStrategy
(
gmas
);
WebClient
wc
=
createWebClient
();
wc
.
login
(
"alice"
);
wc
.
goTo
(
"script"
);
wc
.
assertFails
(
"script?script=System.setProperty('hack','me')"
,
HttpURLConnection
.
HTTP_BAD_METHOD
);
assertNull
(
System
.
getProperty
(
"hack"
));
WebRequestSettings
req
=
new
WebRequestSettings
(
new
URL
(
wc
.
getContextPath
()
+
"script?script=System.setProperty('hack','me')"
),
HttpMethod
.
POST
);
wc
.
getPage
(
wc
.
addCrumb
(
req
));
assertEquals
(
"me"
,
System
.
getProperty
(
"hack"
));
wc
.
assertFails
(
"scriptText?script=System.setProperty('hack','me')"
,
HttpURLConnection
.
HTTP_BAD_METHOD
);
req
=
new
WebRequestSettings
(
new
URL
(
wc
.
getContextPath
()
+
"scriptText?script=System.setProperty('huck','you')"
),
HttpMethod
.
POST
);
wc
.
getPage
(
wc
.
addCrumb
(
req
));
assertEquals
(
"you"
,
System
.
getProperty
(
"huck"
));
wc
.
login
(
"bob"
);
wc
.
assertFails
(
"script"
,
HttpURLConnection
.
HTTP_FORBIDDEN
);
wc
.
login
(
"charlie"
);
wc
.
assertFails
(
"script"
,
HttpURLConnection
.
HTTP_FORBIDDEN
);
}
@TestExtension
(
"testUnprotectedRootAction"
)
public
static
class
RootActionImpl
implements
UnprotectedRootAction
{
private
int
count
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录