From 7c5b41bfd5d8004f82684a9168dd627e20ea5f35 Mon Sep 17 00:00:00 2001 From: Wadeck Follonier Date: Wed, 25 Apr 2018 23:40:56 +0200 Subject: [PATCH] [SECURITY-771] --- .../resources/hudson/AboutJenkins/index.jelly | 2 +- .../test/java/hudson/AboutJenkinsTest.java | 72 +++++++++++++++++++ 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 test/src/test/java/hudson/AboutJenkinsTest.java diff --git a/core/src/main/resources/hudson/AboutJenkins/index.jelly b/core/src/main/resources/hudson/AboutJenkins/index.jelly index 68e063af6d..cc668b1f64 100644 --- a/core/src/main/resources/hudson/AboutJenkins/index.jelly +++ b/core/src/main/resources/hudson/AboutJenkins/index.jelly @@ -26,7 +26,7 @@ THE SOFTWARE. - +
diff --git a/test/src/test/java/hudson/AboutJenkinsTest.java b/test/src/test/java/hudson/AboutJenkinsTest.java new file mode 100644 index 0000000000..7972aa1021 --- /dev/null +++ b/test/src/test/java/hudson/AboutJenkinsTest.java @@ -0,0 +1,72 @@ +/* + * The MIT License + * + * Copyright 2018 CloudBees, Inc. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ +package hudson; + +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import jenkins.model.Jenkins; +import org.junit.Rule; +import org.junit.Test; +import org.jvnet.hudson.test.Issue; +import org.jvnet.hudson.test.JenkinsRule; +import org.jvnet.hudson.test.MockAuthorizationStrategy; + +import static org.hamcrest.Matchers.containsString; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThat; + +public class AboutJenkinsTest { + + @Rule + public JenkinsRule j = new JenkinsRule(); + + @Test + @Issue("SECURITY-771") + public void onlyAdminCanReadAbout() throws Exception { + final String ADMIN = "admin"; + final String USER = "user"; + + j.jenkins.setSecurityRealm(j.createDummySecurityRealm()); + j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy() + .grant(Jenkins.ADMINISTER).everywhere().to(ADMIN) + .grant(Jenkins.READ).everywhere().to(USER) + ); + + JenkinsRule.WebClient wc = j.createWebClient(); + wc.getOptions().setThrowExceptionOnFailingStatusCode(false); + + { // user cannot see it + wc.login(USER); + HtmlPage page = wc.goTo("about/"); + assertEquals(403, page.getWebResponse().getStatusCode()); + } + + { // admin can access it + wc.login(ADMIN); + HtmlPage page = wc.goTo("about/"); + assertEquals(200, page.getWebResponse().getStatusCode()); + assertThat(page.getWebResponse().getContentAsString(), containsString("Mavenized dependencies")); + } + } + +} -- GitLab