Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
af9e11c9
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
af9e11c9
编写于
6月 19, 2018
作者:
W
Wadeck Follonier
提交者:
Daniel Beck
6月 19, 2018
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[SECURITY-891]
上级
29ca81dd
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
90 addition
and
2 deletion
+90
-2
core/src/main/java/hudson/model/Queue.java
core/src/main/java/hudson/model/Queue.java
+6
-2
test/src/test/java/hudson/model/QueueTest_SEC891.java
test/src/test/java/hudson/model/QueueTest_SEC891.java
+84
-0
未找到文件。
core/src/main/java/hudson/model/Queue.java
浏览文件 @
af9e11c9
...
...
@@ -755,7 +755,9 @@ public class Queue extends ResourceController implements Saveable {
public
HttpResponse
doCancelItem
(
@QueryParameter
long
id
)
throws
IOException
,
ServletException
{
Item
item
=
getItem
(
id
);
if
(
item
!=
null
)
{
cancel
(
item
);
if
(
item
.
hasCancelPermission
()){
cancel
(
item
);
}
}
// else too late, ignore (JENKINS-14813)
return
HttpResponses
.
forwardToPreviousPage
();
}
...
...
@@ -2193,7 +2195,9 @@ public class Queue extends ResourceController implements Saveable {
@Deprecated
@RequirePOST
public
HttpResponse
doCancelQueue
()
throws
IOException
,
ServletException
{
Jenkins
.
getInstance
().
getQueue
().
cancel
(
this
);
if
(
hasCancelPermission
()){
Jenkins
.
getInstance
().
getQueue
().
cancel
(
this
);
}
return
HttpResponses
.
forwardToPreviousPage
();
}
...
...
test/src/test/java/hudson/model/QueueTest_SEC891.java
0 → 100644
浏览文件 @
af9e11c9
package
hudson.model
;
import
com.gargoylesoftware.htmlunit.HttpMethod
;
import
com.gargoylesoftware.htmlunit.Page
;
import
com.gargoylesoftware.htmlunit.WebRequest
;
import
hudson.model.Cause.UserIdCause
;
import
hudson.slaves.NodeProvisionerRule
;
import
jenkins.model.Jenkins
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.jvnet.hudson.test.MockAuthorizationStrategy
;
import
java.net.URL
;
import
java.util.function.Function
;
import
static
org
.
hamcrest
.
Matchers
.
equalTo
;
import
static
org
.
hamcrest
.
Matchers
.
lessThan
;
import
static
org
.
junit
.
Assert
.
assertFalse
;
import
static
org
.
junit
.
Assert
.
assertThat
;
import
static
org
.
junit
.
Assert
.
assertTrue
;
//TODO merge into QueueTest after security patch
public
class
QueueTest_SEC891
{
@Rule
public
JenkinsRule
r
=
new
NodeProvisionerRule
(-
1
,
0
,
10
);
@Test
public
void
doCancelItem_PermissionIsChecked
()
throws
Exception
{
checkCancelOperationUsingUrl
(
item
->
"queue/cancelItem?id="
+
item
.
getId
());
}
@Test
public
void
doCancelQueue_PermissionIsChecked
()
throws
Exception
{
checkCancelOperationUsingUrl
(
item
->
"queue/item/"
+
item
.
getId
()
+
"/cancelQueue"
);
}
private
void
checkCancelOperationUsingUrl
(
Function
<
Queue
.
Item
,
String
>
urlProvider
)
throws
Exception
{
Queue
q
=
r
.
jenkins
.
getQueue
();
r
.
jenkins
.
setCrumbIssuer
(
null
);
r
.
jenkins
.
setSecurityRealm
(
r
.
createDummySecurityRealm
());
r
.
jenkins
.
setAuthorizationStrategy
(
new
MockAuthorizationStrategy
()
.
grant
(
Jenkins
.
READ
,
Item
.
CANCEL
).
everywhere
().
to
(
"admin"
)
.
grant
(
Jenkins
.
READ
).
everywhere
().
to
(
"user"
)
);
// prevent execution to push stuff into the queue
r
.
jenkins
.
setNumExecutors
(
0
);
assertThat
(
q
.
getItems
().
length
,
equalTo
(
0
));
FreeStyleProject
testProject
=
r
.
createFreeStyleProject
(
"test"
);
testProject
.
scheduleBuild
(
new
UserIdCause
());
Queue
.
Item
[]
items
=
q
.
getItems
();
assertThat
(
items
.
length
,
equalTo
(
1
));
Queue
.
Item
currentOne
=
items
[
0
];
assertFalse
(
currentOne
.
getFuture
().
isCancelled
());
WebRequest
request
=
new
WebRequest
(
new
URL
(
r
.
getURL
()
+
urlProvider
.
apply
(
currentOne
)),
HttpMethod
.
POST
);
{
// user without right cannot cancel
JenkinsRule
.
WebClient
wc
=
r
.
createWebClient
();
wc
.
getOptions
().
setThrowExceptionOnFailingStatusCode
(
false
);
wc
.
getOptions
().
setRedirectEnabled
(
false
);
wc
.
login
(
"user"
);
Page
p
=
wc
.
getPage
(
request
);
// currently the endpoint return a redirection to the previously visited page, none in our case
// (so force no redirect to avoid false positive error)
assertThat
(
p
.
getWebResponse
().
getStatusCode
(),
lessThan
(
400
));
assertFalse
(
currentOne
.
getFuture
().
isCancelled
());
}
{
// user with right can
JenkinsRule
.
WebClient
wc
=
r
.
createWebClient
();
wc
.
getOptions
().
setThrowExceptionOnFailingStatusCode
(
false
);
wc
.
getOptions
().
setRedirectEnabled
(
false
);
wc
.
login
(
"admin"
);
Page
p
=
wc
.
getPage
(
request
);
assertThat
(
p
.
getWebResponse
().
getStatusCode
(),
lessThan
(
400
));
assertTrue
(
currentOne
.
getFuture
().
isCancelled
());
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
