[SECURITY-170] More tests

a7264a96 · Antonio Muñiz · eb2b62e1 · a7264a96 · a7264a96
2 changed file
--- a/core/src/main/java/hudson/model/ParametersAction.java
+++ b/core/src/main/java/hudson/model/ParametersAction.java
@@ -276,8 +276,9 @@ public class ParametersAction implements RunAction2, Iterable<ParameterValue>, Q
                filteredParameters.add(v);
            } else {
                LOGGER.log(Level.WARNING, "Skipped parameter `{0}` as it is undefined on `{1}`. Set `-D{2}`=true to allow "
-                        + "undefined parameters to be injected as environment variables, even though it represents a security breach",
-                        new Object [] { v.getName(), run.getParent().getFullName(), KEEP_UNDEFINED_PARAMETERS_SYSTEM_PROPERTY_NAME });
+                        + "undefined parameters to be injected as environment variables or `-D{3}=[comma-separated list]` to whitelist specific parameter names, "
+                        + "even though it represents a security breach",
+                        new Object [] { v.getName(), run.getParent().getFullName(), KEEP_UNDEFINED_PARAMETERS_SYSTEM_PROPERTY_NAME, SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME });
            }
        }


--- a/test/src/test/java/hudson/model/ParametersActionTest2.java
+++ b/test/src/test/java/hudson/model/ParametersActionTest2.java
@@ -149,6 +149,42 @@ public class ParametersActionTest2 {
        }
    }

+    @Test
+    @Issue("SECURITY-170")
+    public void nonParameterizedJob() throws Exception {
+        FreeStyleProject p = j.createFreeStyleProject();
+        FreeStyleBuild build = j.assertBuildStatusSuccess(p.scheduleBuild2(0, new Cause.UserIdCause(), new ParametersAction(
+                new StringParameterValue("foo", "baz"),
+                new StringParameterValue("bar", "bar")
+        )));
+
+        assertTrue("foo parameter is not listed in getParameters",
+                !hasParameterWithName(build.getAction(ParametersAction.class), "foo"));
+        assertTrue("bar parameter is not listed in getParameters",
+                !hasParameterWithName(build.getAction(ParametersAction.class), "bar"));
+    }
+
+    @Test
+    @Issue("SECURITY-170")
+    public void nonParameterizedJobButWhitelisted() throws Exception {
+        FreeStyleProject p = j.createFreeStyleProject();
+
+        try {
+            System.setProperty(ParametersAction.SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME, "foo,bar");
+            FreeStyleBuild build2 = j.assertBuildStatusSuccess(p.scheduleBuild2(0, new Cause.UserIdCause(), new ParametersAction(
+                    new StringParameterValue("foo", "baz"),
+                    new StringParameterValue("bar", "bar")
+            )));
+
+            assertTrue("foo parameter is listed in getParameters",
+                    hasParameterWithName(build2.getAction(ParametersAction.class), "foo"));
+            assertTrue("bar parameter is listed in getParameters",
+                    hasParameterWithName(build2.getAction(ParametersAction.class), "bar"));
+        } finally {
+            System.clearProperty(ParametersAction.SAFE_PARAMETERS_SYSTEM_PROPERTY_NAME);
+        }
+    }
+
    public static boolean hasParameterWithName(Iterable<ParameterValue> values, String name) {
        for (ParameterValue v : values) {
            if (v.getName().equals(name)) {