Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
7f202f03
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
7f202f03
编写于
2月 10, 2016
作者:
J
Jesse Glick
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #60 from jenkinsci-cert/SECURITY-247-v2
[FIX SECURITY-247] Prevent loading of MethodClosure from XML
上级
fb223054
37cea0a5
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
176 addition
and
0 deletion
+176
-0
core/src/main/java/hudson/util/XStream2.java
core/src/main/java/hudson/util/XStream2.java
+29
-0
test/src/test/java/hudson/util/XStream2Security247Test.java
test/src/test/java/hudson/util/XStream2Security247Test.java
+120
-0
test/src/test/resources/hudson/util/XStream2Security247Test/config.xml
.../resources/hudson/util/XStream2Security247Test/config.xml
+27
-0
未找到文件。
core/src/main/java/hudson/util/XStream2.java
浏览文件 @
7f202f03
...
...
@@ -47,6 +47,7 @@ import edu.umd.cs.findbugs.annotations.SuppressWarnings;
import
hudson.PluginManager
;
import
hudson.PluginWrapper
;
import
hudson.diagnosis.OldDataMonitor
;
import
hudson.remoting.ClassFilter
;
import
hudson.util.xstream.ImmutableSetConverter
;
import
hudson.util.xstream.ImmutableSortedSetConverter
;
import
jenkins.model.Jenkins
;
...
...
@@ -159,6 +160,8 @@ public class XStream2 extends XStream {
// but before reflection-based one kicks in.
registerConverter
(
new
AssociatedConverterImpl
(
this
),
-
10
);
registerConverter
(
new
BlacklistedTypesConverter
(),
PRIORITY_VERY_HIGH
);
// SECURITY-247 defense
registerConverter
(
new
DynamicProxyConverter
(
getMapper
())
{
// SECURITY-105 defense
@Override
public
boolean
canConvert
(
Class
type
)
{
return
/* this precedes NullConverter */
type
!=
null
&&
super
.
canConvert
(
type
);
...
...
@@ -434,4 +437,30 @@ public class XStream2 extends XStream {
}
private
static
class
BlacklistedTypesConverter
implements
Converter
{
@Override
public
void
marshal
(
Object
source
,
HierarchicalStreamWriter
writer
,
MarshallingContext
context
)
{
throw
new
UnsupportedOperationException
(
"Refusing to marshal for security reasons"
);
}
@Override
public
Object
unmarshal
(
HierarchicalStreamReader
reader
,
UnmarshallingContext
context
)
{
throw
new
ConversionException
(
"Refusing to unmarshal for security reasons"
);
}
@Override
public
boolean
canConvert
(
Class
type
)
{
if
(
type
==
null
)
{
return
false
;
}
try
{
ClassFilter
.
DEFAULT
.
check
(
type
);
ClassFilter
.
DEFAULT
.
check
(
type
.
getName
());
}
catch
(
SecurityException
se
)
{
// claim we can convert all the scary stuff so we can throw exceptions when attempting to do so
return
true
;
}
return
false
;
}
}
}
test/src/test/java/hudson/util/XStream2Security247Test.java
0 → 100644
浏览文件 @
7f202f03
package
hudson.util
;
import
hudson.model.Items
;
import
org.apache.commons.io.*
;
import
org.apache.commons.io.IOUtils
;
import
org.junit.Before
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.junit.rules.TemporaryFolder
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.kohsuke.stapler.StaplerRequest
;
import
org.kohsuke.stapler.StaplerResponse
;
import
org.mockito.Mock
;
import
org.mockito.MockitoAnnotations
;
import
javax.servlet.ServletInputStream
;
import
java.io.File
;
import
java.io.IOException
;
import
java.io.InputStream
;
import
static
org
.
junit
.
Assert
.
assertFalse
;
import
static
org
.
mockito
.
Mockito
.
when
;
public
class
XStream2Security247Test
{
@Rule
public
JenkinsRule
j
=
new
JenkinsRule
();
@Rule
public
TemporaryFolder
f
=
new
TemporaryFolder
();
@Mock
private
StaplerRequest
req
;
@Mock
private
StaplerResponse
rsp
;
@Before
public
void
setUp
()
throws
Exception
{
MockitoAnnotations
.
initMocks
(
this
);
}
@Test
@Issue
(
"SECURITY-247"
)
public
void
testXmlLoad
()
throws
Exception
{
File
exploitFile
=
f
.
newFile
();
try
{
// be extra sure there's no file already
if
(
exploitFile
.
exists
()
&&
!
exploitFile
.
delete
())
{
throw
new
IllegalStateException
(
"file exists and cannot be deleted"
);
}
File
tempJobDir
=
new
File
(
j
.
jenkins
.
getRootDir
(),
"security247"
);
String
exploitXml
=
org
.
apache
.
commons
.
io
.
IOUtils
.
toString
(
XStream2Security247Test
.
class
.
getResourceAsStream
(
"/hudson/util/XStream2Security247Test/config.xml"
),
"UTF-8"
);
exploitXml
=
exploitXml
.
replace
(
"@TOKEN@"
,
exploitFile
.
getAbsolutePath
());
FileUtils
.
write
(
new
File
(
tempJobDir
,
"config.xml"
),
exploitXml
);
try
{
Items
.
load
(
j
.
jenkins
,
tempJobDir
);
}
catch
(
Exception
e
)
{
// ignore
}
assertFalse
(
"no file should be created here"
,
exploitFile
.
exists
());
}
finally
{
exploitFile
.
delete
();
}
}
@Test
@Issue
(
"SECURITY-247"
)
public
void
testPostJobXml
()
throws
Exception
{
File
exploitFile
=
f
.
newFile
();
try
{
// be extra sure there's no file already
if
(
exploitFile
.
exists
()
&&
!
exploitFile
.
delete
())
{
throw
new
IllegalStateException
(
"file exists and cannot be deleted"
);
}
File
tempJobDir
=
new
File
(
j
.
jenkins
.
getRootDir
(),
"security247"
);
String
exploitXml
=
org
.
apache
.
commons
.
io
.
IOUtils
.
toString
(
XStream2Security247Test
.
class
.
getResourceAsStream
(
"/hudson/util/XStream2Security247Test/config.xml"
),
"UTF-8"
);
exploitXml
=
exploitXml
.
replace
(
"@TOKEN@"
,
exploitFile
.
getAbsolutePath
());
when
(
req
.
getMethod
()).
thenReturn
(
"POST"
);
when
(
req
.
getInputStream
()).
thenReturn
(
new
Stream
(
IOUtils
.
toInputStream
(
exploitXml
)));
when
(
req
.
getContentType
()).
thenReturn
(
"application/xml"
);
when
(
req
.
getParameter
(
"name"
)).
thenReturn
(
"foo"
);
try
{
j
.
jenkins
.
doCreateItem
(
req
,
rsp
);
}
catch
(
Exception
e
)
{
// don't care
}
assertFalse
(
"no file should be created here"
,
exploitFile
.
exists
());
}
finally
{
exploitFile
.
delete
();
}
}
private
static
class
Stream
extends
ServletInputStream
{
private
final
InputStream
inner
;
public
Stream
(
final
InputStream
inner
)
{
this
.
inner
=
inner
;
}
@Override
public
int
read
()
throws
IOException
{
return
inner
.
read
();
}
}
}
test/src/test/resources/hudson/util/XStream2Security247Test/config.xml
0 → 100644
浏览文件 @
7f202f03
<map>
<entry>
<groovy.util.Expando>
<expandoProperties>
<entry>
<string>
hashCode
</string>
<org.codehaus.groovy.runtime.MethodClosure>
<delegate
class=
"groovy.util.Expando"
reference=
"../../../.."
/>
<owner
class=
"java.lang.ProcessBuilder"
>
<command>
<string>
touch
</string>
<string>
@TOKEN@
</string>
</command>
<redirectErrorStream>
false
</redirectErrorStream>
</owner>
<resolveStrategy>
0
</resolveStrategy>
<directive>
0
</directive>
<parameterTypes/>
<maximumNumberOfParameters>
0
</maximumNumberOfParameters>
<method>
start
</method>
</org.codehaus.groovy.runtime.MethodClosure>
</entry>
</expandoProperties>
</groovy.util.Expando>
<int>
1
</int>
</entry>
</map>
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录