Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
3d03990a
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
3d03990a
编写于
4月 24, 2013
作者:
J
Jesse Glick
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[SECURITY-63] Check RUN_SCRIPTS for /eval.
上级
3bbb65df
变更
2
显示空白变更内容
内联
并排
Showing
2 changed file
with
41 addition
and
1 deletion
+41
-1
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/java/jenkins/model/Jenkins.java
+1
-1
test/src/test/java/jenkins/model/JenkinsTest.java
test/src/test/java/jenkins/model/JenkinsTest.java
+40
-0
未找到文件。
core/src/main/java/jenkins/model/Jenkins.java
浏览文件 @
3d03990a
...
...
@@ -3402,7 +3402,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
*/
@RequirePOST
public
void
doEval
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
checkPermission
(
ADMINISTER
);
checkPermission
(
RUN_SCRIPTS
);
try
{
MetaClass
mc
=
WebApp
.
getCurrent
().
getMetaClass
(
getClass
());
...
...
test/src/test/java/jenkins/model/JenkinsTest.java
浏览文件 @
3d03990a
...
...
@@ -23,6 +23,7 @@
*/
package
jenkins.model
;
import
com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException
;
import
com.gargoylesoftware.htmlunit.HttpMethod
;
import
com.gargoylesoftware.htmlunit.WebRequestSettings
;
import
com.gargoylesoftware.htmlunit.html.HtmlForm
;
...
...
@@ -245,6 +246,45 @@ public class JenkinsTest extends HudsonTestCase {
wc
.
assertFails
(
"script"
,
HttpURLConnection
.
HTTP_FORBIDDEN
);
}
public
void
testDoEval
()
throws
Exception
{
jenkins
.
setSecurityRealm
(
new
LegacySecurityRealm
());
GlobalMatrixAuthorizationStrategy
gmas
=
new
GlobalMatrixAuthorizationStrategy
()
{
@Override
public
boolean
hasPermission
(
String
sid
,
Permission
p
)
{
return
p
==
Jenkins
.
RUN_SCRIPTS
?
hasExplicitPermission
(
sid
,
p
)
:
super
.
hasPermission
(
sid
,
p
);
}
};
gmas
.
add
(
Jenkins
.
ADMINISTER
,
"alice"
);
gmas
.
add
(
Jenkins
.
RUN_SCRIPTS
,
"alice"
);
gmas
.
add
(
Jenkins
.
READ
,
"bob"
);
gmas
.
add
(
Jenkins
.
ADMINISTER
,
"charlie"
);
jenkins
.
setAuthorizationStrategy
(
gmas
);
// Otherwise get "RuntimeException: Trying to set the request parameters, but the request body has already been specified;the two are mutually exclusive!" from WebRequestSettings.setRequestParameters when POSTing content:
jenkins
.
setCrumbIssuer
(
null
);
WebClient
wc
=
createWebClient
();
wc
.
login
(
"alice"
);
wc
.
assertFails
(
"eval"
,
HttpURLConnection
.
HTTP_INTERNAL_ERROR
);
assertEquals
(
"3"
,
eval
(
wc
));
wc
.
login
(
"bob"
);
try
{
eval
(
wc
);
fail
(
"bob has only READ"
);
}
catch
(
FailingHttpStatusCodeException
e
)
{
assertEquals
(
HttpURLConnection
.
HTTP_FORBIDDEN
,
e
.
getStatusCode
());
}
wc
.
login
(
"charlie"
);
try
{
eval
(
wc
);
fail
(
"charlie has ADMINISTER but not RUN_SCRIPTS"
);
}
catch
(
FailingHttpStatusCodeException
e
)
{
assertEquals
(
HttpURLConnection
.
HTTP_FORBIDDEN
,
e
.
getStatusCode
());
}
}
private
String
eval
(
WebClient
wc
)
throws
Exception
{
WebRequestSettings
req
=
new
WebRequestSettings
(
new
URL
(
wc
.
getContextPath
()
+
"eval"
),
HttpMethod
.
POST
);
req
.
setRequestBody
(
"<j:jelly xmlns:j='jelly:core'>${1+2}</j:jelly>"
);
return
wc
.
getPage
(
/*wc.addCrumb(*/
req
/*)*/
).
getWebResponse
().
getContentAsString
();
}
@TestExtension
(
"testUnprotectedRootAction"
)
public
static
class
RootActionImpl
implements
UnprotectedRootAction
{
private
int
count
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录