Skip to content

J
jenkins

xxadev / jenkins
与 Fork 源项目一致

从无法访问的项目Fork

通知 3
Star 0
Fork 0
J
jenkins

体验新版 GitCode,发现更多精彩内容 >>

提交 5564a62e 编写于 作者: J James Nord
浏览文件
操作

Merge pull request #7 from jenkinsci-cert/SECURITY-167_2 

[SECURITY-167] Followup tweaks to address review comments.
上级 1338e661 fe5077e5
隐藏空白更改
内联 并排
Showing with 8 addition and 20 deletion
core/src/main/java/jenkins/util/xml/RestrictiveEntityResolver.java
浏览文件 @ 5564a62e
package jenkins.util.xml;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
......@@ -9,9 +11,8 @@ import java.io.IOException;
/**
* An EntityResolver that will fail to resolve any entities.
* Useful in preventing External XML Entity injection attacks.
*
* @since TODO
*/
@Restricted(NoExternalUse.class)
public final class RestrictiveEntityResolver implements EntityResolver {
public final static RestrictiveEntityResolver INSTANCE = new RestrictiveEntityResolver();
......
core/src/main/java/jenkins/util/xml/XMLUtils.java
浏览文件 @ 5564a62e
package jenkins.util.xml;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
......@@ -21,6 +23,7 @@ import javax.xml.transform.sax.SAXTransformerFactory;
/**
* Utilities useful when working with various XML types.
*/
@Restricted(NoExternalUse.class)
public final class XMLUtils {
private final static Logger LOGGER = LogManager.getLogManager().getLogger(XMLUtils.class.getName());
......
test/src/test/java/hudson/model/AbstractItemSecurityTest.java
浏览文件 @ 5564a62e
......@@ -56,22 +56,14 @@ public class AbstractItemSecurityTest {
@Test()
// SECURITY-167
public void testUpdateByXmlIDoesNotProcessForeignResources() throws Exception {
public void testUpdateByXmlDoesNotProcessForeignResources() throws Exception {
final String xml = "<?xml version='1.0' encoding='UTF-8'?>\n" +
"<!DOCTYPE project[\n" +
" <!ENTITY foo SYSTEM \"file:///\">\n" +
"]>\n" +
"<project>\n" +
" <actions/>\n" +
" <description>&foo;</description>\n" +
" <keepDependencies>false</keepDependencies>\n" +
" <properties/>\n" +
" <scm class=\"hudson.scm.NullSCM\"/>\n" +
" <canRoam>true</canRoam>\n" +
" <triggers/>\n" +
" <builders/>\n" +
" <publishers/>\n" +
" <buildWrappers/>\n" +
"</project>";
FreeStyleProject project = jenkinsRule.createFreeStyleProject("security-167");
......@@ -90,19 +82,11 @@ public class AbstractItemSecurityTest {
@Test()
// SECURITY-167
public void testhamyXmlIDoesNotFail() throws Exception {
public void testUpdateByXmlDoesNotFail() throws Exception {
final String xml = "<?xml version='1.0' encoding='UTF-8'?>\n" +
"<project>\n" +
" <actions/>\n" +
" <description>&amp;</description>\n" +
" <keepDependencies>false</keepDependencies>\n" +
" <properties/>\n" +
" <scm class=\"hudson.scm.NullSCM\"/>\n" +
" <canRoam>true</canRoam>\n" +
" <triggers/>\n" +
" <builders/>\n" +
" <publishers/>\n" +
" <buildWrappers/>\n" +
"</project>";
FreeStyleProject project = jenkinsRule.createFreeStyleProject("security-167");
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册