Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
b000130a
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
b000130a
编写于
6月 20, 2018
作者:
D
Daniel Beck
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'security-stable-2.89' into security-stable-2.107
上级
cea7e83f
58e56498
变更
11
隐藏空白更改
内联
并排
Showing
11 changed file
with
328 addition
and
7 deletion
+328
-7
core/pom.xml
core/pom.xml
+1
-1
core/src/main/java/hudson/Plugin.java
core/src/main/java/hudson/Plugin.java
+5
-1
core/src/main/java/hudson/model/BuildTimelineWidget.java
core/src/main/java/hudson/model/BuildTimelineWidget.java
+4
-1
core/src/main/java/hudson/model/Queue.java
core/src/main/java/hudson/model/Queue.java
+6
-2
core/src/main/java/hudson/model/User.java
core/src/main/java/hudson/model/User.java
+33
-1
core/src/main/java/hudson/slaves/SlaveComputer.java
core/src/main/java/hudson/slaves/SlaveComputer.java
+2
-0
core/src/main/resources/hudson/model/BuildTimelineWidget/control.jelly
.../resources/hudson/model/BuildTimelineWidget/control.jelly
+1
-1
test/src/test/java/hudson/PluginTest_SEC925.java
test/src/test/java/hudson/PluginTest_SEC925.java
+33
-0
test/src/test/java/hudson/model/QueueTest_SEC891.java
test/src/test/java/hudson/model/QueueTest_SEC891.java
+84
-0
test/src/test/java/hudson/model/UserRestartTest_SEC897.java
test/src/test/java/hudson/model/UserRestartTest_SEC897.java
+71
-0
test/src/test/java/jenkins/security/stapler/Security914Test.java
...c/test/java/jenkins/security/stapler/Security914Test.java
+88
-0
未找到文件。
core/pom.xml
浏览文件 @
b000130a
...
...
@@ -39,7 +39,7 @@ THE SOFTWARE.
<properties>
<staplerFork>
true
</staplerFork>
<stapler.version>
1.254
</stapler.version>
<stapler.version>
1.254
.1
</stapler.version>
<spring.version>
2.5.6.SEC03
</spring.version>
<groovy.version>
2.4.11
</groovy.version>
<!-- TODO: Actually many issues are being filtered by src/findbugs/findbugs-excludes.xml -->
...
...
core/src/main/java/hudson/Plugin.java
浏览文件 @
b000130a
...
...
@@ -228,7 +228,11 @@ public abstract class Plugin implements Saveable {
String
path
=
req
.
getRestOfPath
();
String
pathUC
=
path
.
toUpperCase
(
Locale
.
ENGLISH
);
if
(
path
.
isEmpty
()
||
path
.
contains
(
".."
)
||
path
.
startsWith
(
"."
)
||
path
.
contains
(
"%"
)
||
pathUC
.
contains
(
"META-INF"
)
||
pathUC
.
contains
(
"WEB-INF"
))
{
if
(
path
.
isEmpty
()
||
path
.
contains
(
".."
)
||
path
.
startsWith
(
"."
)
||
path
.
contains
(
"%"
)
||
pathUC
.
contains
(
"META-INF"
)
||
pathUC
.
contains
(
"WEB-INF"
)
// ClassicPluginStrategy#explode produce that file to know if a new explosion is required or not
||
pathUC
.
equals
(
"/.TIMESTAMP2"
)
)
{
LOGGER
.
warning
(
"rejecting possibly malicious "
+
req
.
getRequestURIWithQueryString
());
rsp
.
sendError
(
HttpServletResponse
.
SC_BAD_REQUEST
);
return
;
...
...
core/src/main/java/hudson/model/BuildTimelineWidget.java
浏览文件 @
b000130a
...
...
@@ -23,6 +23,7 @@
*/
package
hudson.model
;
import
hudson.Util
;
import
hudson.util.RunList
;
import
org.kohsuke.stapler.QueryParameter
;
import
org.kohsuke.stapler.StaplerRequest
;
...
...
@@ -64,7 +65,9 @@ public class BuildTimelineWidget {
Event
e
=
new
Event
();
e
.
start
=
new
Date
(
r
.
getStartTimeInMillis
());
e
.
end
=
new
Date
(
r
.
getStartTimeInMillis
()+
r
.
getDuration
());
e
.
title
=
r
.
getFullDisplayName
();
// due to SimileAjax.HTML.deEntify (in simile-ajax-bundle.js), "<" are transformed back to "<", but not the "<";
// to protect against XSS
e
.
title
=
Util
.
escape
(
r
.
getFullDisplayName
()).
replace
(
"<"
,
"<"
);
// what to put in the description?
// e.description = "Longish description of event "+r.getFullDisplayName();
// e.durationEvent = true;
...
...
core/src/main/java/hudson/model/Queue.java
浏览文件 @
b000130a
...
...
@@ -757,7 +757,9 @@ public class Queue extends ResourceController implements Saveable {
public
HttpResponse
doCancelItem
(
@QueryParameter
long
id
)
throws
IOException
,
ServletException
{
Item
item
=
getItem
(
id
);
if
(
item
!=
null
)
{
cancel
(
item
);
if
(
item
.
hasCancelPermission
()){
cancel
(
item
);
}
}
// else too late, ignore (JENKINS-14813)
return
HttpResponses
.
forwardToPreviousPage
();
}
...
...
@@ -2256,7 +2258,9 @@ public class Queue extends ResourceController implements Saveable {
@Deprecated
@RequirePOST
public
HttpResponse
doCancelQueue
()
throws
IOException
,
ServletException
{
Jenkins
.
getInstance
().
getQueue
().
cancel
(
this
);
if
(
hasCancelPermission
()){
Jenkins
.
getInstance
().
getQueue
().
cancel
(
this
);
}
return
HttpResponses
.
forwardToPreviousPage
();
}
...
...
core/src/main/java/hudson/model/User.java
浏览文件 @
b000130a
...
...
@@ -490,7 +490,8 @@ public class User extends AbstractModelObject implements AccessControlled, Descr
byNameLock
.
readLock
().
unlock
();
}
final
File
configFile
=
getConfigFileFor
(
id
);
if
(
unsanitizedLegacyConfigFile
.
exists
()
&&
!
unsanitizedLegacyConfigFile
.
equals
(
configFile
))
{
boolean
mustMigrateLegacyConfig
=
isMigrationRequiredForLegacyConfigFile
(
unsanitizedLegacyConfigFile
,
configFile
);
if
(
mustMigrateLegacyConfig
)
{
File
ancestor
=
unsanitizedLegacyConfigFile
.
getParentFile
();
if
(!
configFile
.
exists
())
{
try
{
...
...
@@ -552,6 +553,37 @@ public class User extends AbstractModelObject implements AccessControlled, Descr
}
return
u
;
}
private
static
boolean
isMigrationRequiredForLegacyConfigFile
(
@Nonnull
File
legacyConfigFile
,
@Nonnull
File
newConfigFile
){
boolean
mustMigrateLegacyConfig
=
legacyConfigFile
.
exists
()
&&
!
legacyConfigFile
.
equals
(
newConfigFile
);
if
(
mustMigrateLegacyConfig
){
try
{
// TODO Could be replace by Util.isDescendant(getRootDir(), legacyConfigFile) in 2.80+
String
canonicalLegacy
=
legacyConfigFile
.
getCanonicalPath
();
String
canonicalUserDir
=
getRootDir
().
getCanonicalPath
();
if
(!
canonicalLegacy
.
startsWith
(
canonicalUserDir
+
File
.
separator
)){
// without that check, the application config.xml could be moved (i.e. erased from application PoV)
mustMigrateLegacyConfig
=
false
;
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"Attempt to escape from users directory with %s, migration aborted, see SECURITY-897 for more information"
,
legacyConfigFile
.
getAbsolutePath
()
));
}
}
catch
(
IOException
e
){
mustMigrateLegacyConfig
=
false
;
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"Failed to determine the canonical path of %s, migration aborted, see SECURITY-897 for more information"
,
legacyConfigFile
.
getAbsolutePath
()
),
e
);
}
}
return
mustMigrateLegacyConfig
;
}
/**
* Gets the {@link User} object by its id or full name.
...
...
core/src/main/java/hudson/slaves/SlaveComputer.java
浏览文件 @
b000130a
...
...
@@ -669,6 +669,8 @@ public class SlaveComputer extends Computer {
@RequirePOST
public
void
doLaunchSlaveAgent
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
checkPermission
(
CONNECT
);
if
(
channel
!=
null
)
{
req
.
getView
(
this
,
"already-launched.jelly"
).
forward
(
req
,
rsp
);
return
;
...
...
core/src/main/resources/hudson/model/BuildTimelineWidget/control.jelly
浏览文件 @
b000130a
...
...
@@ -56,7 +56,7 @@ THE SOFTWARE.
onSuccess: function(t) {
if (t.status != 0) {
try {
eventSource1.loadJSON(
eval('('+t.responseText+')'
),'.');
eventSource1.loadJSON(
JSON.parse(t.responseText
),'.');
getData(eventSource1, current-1, min, max);
} catch (e) {
alert(e);
...
...
test/src/test/java/hudson/PluginTest_SEC925.java
0 → 100644
浏览文件 @
b000130a
package
hudson
;
import
hudson.model.UpdateCenter
;
import
jenkins.model.Jenkins
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
javax.servlet.http.HttpServletResponse
;
import
java.util.Arrays
;
import
java.util.List
;
import
java.util.concurrent.Future
;
//TODO merge it within PluginTest after the security release
public
class
PluginTest_SEC925
{
@Rule
public
JenkinsRule
r
=
new
JenkinsRule
();
@Test
@Issue
(
"SECURITY-925"
)
public
void
preventTimestamp2_toBeServed
()
throws
Exception
{
// impossible to use installDetachedPlugin("credentials") since we want to have it exploded like with WAR
Jenkins
.
getInstance
().
getUpdateCenter
().
getSites
().
get
(
0
).
updateDirectlyNow
(
false
);
List
<
Future
<
UpdateCenter
.
UpdateCenterJob
>>
pluginInstalled
=
r
.
jenkins
.
pluginManager
.
install
(
Arrays
.
asList
(
"credentials"
),
true
);
for
(
Future
<
UpdateCenter
.
UpdateCenterJob
>
job
:
pluginInstalled
)
{
job
.
get
();
}
r
.
createWebClient
().
assertFails
(
"plugin/credentials/.timestamp2"
,
HttpServletResponse
.
SC_BAD_REQUEST
);
}
}
test/src/test/java/hudson/model/QueueTest_SEC891.java
0 → 100644
浏览文件 @
b000130a
package
hudson.model
;
import
com.gargoylesoftware.htmlunit.HttpMethod
;
import
com.gargoylesoftware.htmlunit.Page
;
import
com.gargoylesoftware.htmlunit.WebRequest
;
import
hudson.model.Cause.UserIdCause
;
import
hudson.slaves.NodeProvisionerRule
;
import
jenkins.model.Jenkins
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.jvnet.hudson.test.MockAuthorizationStrategy
;
import
java.net.URL
;
import
java.util.function.Function
;
import
static
org
.
hamcrest
.
Matchers
.
equalTo
;
import
static
org
.
hamcrest
.
Matchers
.
lessThan
;
import
static
org
.
junit
.
Assert
.
assertFalse
;
import
static
org
.
junit
.
Assert
.
assertThat
;
import
static
org
.
junit
.
Assert
.
assertTrue
;
//TODO merge into QueueTest after security patch
public
class
QueueTest_SEC891
{
@Rule
public
JenkinsRule
r
=
new
NodeProvisionerRule
(-
1
,
0
,
10
);
@Test
public
void
doCancelItem_PermissionIsChecked
()
throws
Exception
{
checkCancelOperationUsingUrl
(
item
->
"queue/cancelItem?id="
+
item
.
getId
());
}
@Test
public
void
doCancelQueue_PermissionIsChecked
()
throws
Exception
{
checkCancelOperationUsingUrl
(
item
->
"queue/item/"
+
item
.
getId
()
+
"/cancelQueue"
);
}
private
void
checkCancelOperationUsingUrl
(
Function
<
Queue
.
Item
,
String
>
urlProvider
)
throws
Exception
{
Queue
q
=
r
.
jenkins
.
getQueue
();
r
.
jenkins
.
setCrumbIssuer
(
null
);
r
.
jenkins
.
setSecurityRealm
(
r
.
createDummySecurityRealm
());
r
.
jenkins
.
setAuthorizationStrategy
(
new
MockAuthorizationStrategy
()
.
grant
(
Jenkins
.
READ
,
Item
.
CANCEL
).
everywhere
().
to
(
"admin"
)
.
grant
(
Jenkins
.
READ
).
everywhere
().
to
(
"user"
)
);
// prevent execution to push stuff into the queue
r
.
jenkins
.
setNumExecutors
(
0
);
assertThat
(
q
.
getItems
().
length
,
equalTo
(
0
));
FreeStyleProject
testProject
=
r
.
createFreeStyleProject
(
"test"
);
testProject
.
scheduleBuild
(
new
UserIdCause
());
Queue
.
Item
[]
items
=
q
.
getItems
();
assertThat
(
items
.
length
,
equalTo
(
1
));
Queue
.
Item
currentOne
=
items
[
0
];
assertFalse
(
currentOne
.
getFuture
().
isCancelled
());
WebRequest
request
=
new
WebRequest
(
new
URL
(
r
.
getURL
()
+
urlProvider
.
apply
(
currentOne
)),
HttpMethod
.
POST
);
{
// user without right cannot cancel
JenkinsRule
.
WebClient
wc
=
r
.
createWebClient
();
wc
.
getOptions
().
setThrowExceptionOnFailingStatusCode
(
false
);
wc
.
getOptions
().
setRedirectEnabled
(
false
);
wc
.
login
(
"user"
);
Page
p
=
wc
.
getPage
(
request
);
// currently the endpoint return a redirection to the previously visited page, none in our case
// (so force no redirect to avoid false positive error)
assertThat
(
p
.
getWebResponse
().
getStatusCode
(),
lessThan
(
400
));
assertFalse
(
currentOne
.
getFuture
().
isCancelled
());
}
{
// user with right can
JenkinsRule
.
WebClient
wc
=
r
.
createWebClient
();
wc
.
getOptions
().
setThrowExceptionOnFailingStatusCode
(
false
);
wc
.
getOptions
().
setRedirectEnabled
(
false
);
wc
.
login
(
"admin"
);
Page
p
=
wc
.
getPage
(
request
);
assertThat
(
p
.
getWebResponse
().
getStatusCode
(),
lessThan
(
400
));
assertTrue
(
currentOne
.
getFuture
().
isCancelled
());
}
}
}
test/src/test/java/hudson/model/UserRestartTest_SEC897.java
0 → 100644
浏览文件 @
b000130a
package
hudson.model
;
import
com.gargoylesoftware.htmlunit.WebRequest
;
import
hudson.FilePath
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.junit.runners.model.Statement
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.jvnet.hudson.test.RestartableJenkinsRule
;
import
java.net.URL
;
import
java.nio.charset.StandardCharsets
;
import
java.util.Base64
;
import
static
org
.
hamcrest
.
core
.
IsEqual
.
equalTo
;
import
static
org
.
junit
.
Assert
.
assertThat
;
//TODO after the security fix, it could be merged inside UserRestartTest
public
class
UserRestartTest_SEC897
{
@Rule
public
RestartableJenkinsRule
rr
=
new
RestartableJenkinsRule
();
@Test
public
void
legacyConfigMoveCannotEscapeUserFolder
()
{
rr
.
addStep
(
new
Statement
()
{
@Override
public
void
evaluate
()
throws
Throwable
{
rr
.
j
.
jenkins
.
setSecurityRealm
(
rr
.
j
.
createDummySecurityRealm
());
assertThat
(
rr
.
j
.
jenkins
.
isUseSecurity
(),
equalTo
(
true
));
// in order to create the folder "users"
User
.
getById
(
"admin"
,
true
).
save
();
{
// attempt with ".."
JenkinsRule
.
WebClient
wc
=
rr
.
j
.
createWebClient
();
wc
.
getOptions
().
setThrowExceptionOnFailingStatusCode
(
false
);
WebRequest
request
=
new
WebRequest
(
new
URL
(
rr
.
j
.
jenkins
.
getRootUrl
()
+
"whoAmI/api/xml"
));
request
.
setAdditionalHeader
(
"Authorization"
,
base64
(
".."
,
"any-password"
));
wc
.
getPage
(
request
);
}
{
// attempt with "../users/.."
JenkinsRule
.
WebClient
wc
=
rr
.
j
.
createWebClient
();
wc
.
getOptions
().
setThrowExceptionOnFailingStatusCode
(
false
);
WebRequest
request
=
new
WebRequest
(
new
URL
(
rr
.
j
.
jenkins
.
getRootUrl
()
+
"whoAmI/api/xml"
));
request
.
setAdditionalHeader
(
"Authorization"
,
base64
(
"../users/.."
,
"any-password"
));
wc
.
getPage
(
request
);
}
// security is still active
assertThat
(
rr
.
j
.
jenkins
.
isUseSecurity
(),
equalTo
(
true
));
// but, the config file was moved
FilePath
rootPath
=
rr
.
j
.
jenkins
.
getRootPath
();
assertThat
(
rootPath
.
child
(
"config.xml"
).
exists
(),
equalTo
(
true
));
}
});
rr
.
addStep
(
new
Statement
()
{
@Override
public
void
evaluate
()
throws
Throwable
{
assertThat
(
rr
.
j
.
jenkins
.
isUseSecurity
(),
equalTo
(
true
));
FilePath
rootPath
=
rr
.
j
.
jenkins
.
getRootPath
();
assertThat
(
rootPath
.
child
(
"config.xml"
).
exists
(),
equalTo
(
true
));
}
});
}
private
String
base64
(
String
login
,
String
password
)
{
return
"Basic "
+
Base64
.
getEncoder
().
encodeToString
((
login
+
":"
+
password
).
getBytes
(
StandardCharsets
.
UTF_8
));
}
}
test/src/test/java/jenkins/security/stapler/Security914Test.java
0 → 100644
浏览文件 @
b000130a
/*
* The MIT License
*
* Copyright (c) 2018, CloudBees, Inc.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package
jenkins.security.stapler
;
import
com.gargoylesoftware.htmlunit.Page
;
import
com.gargoylesoftware.htmlunit.WebRequest
;
import
hudson.Functions
;
import
org.junit.Assume
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.jvnet.hudson.test.TestPluginManager
;
import
java.net.URL
;
import
static
org
.
junit
.
Assert
.
assertEquals
;
import
static
org
.
junit
.
Assert
.
assertNotEquals
;
@Issue
(
"SECURITY-914"
)
public
class
Security914Test
{
@Rule
public
JenkinsRule
j
=
new
JenkinsRule
();
@Test
public
void
cannotUseInvalidLocale_toTraverseFolder
()
throws
Exception
{
Assume
.
assumeTrue
(
Functions
.
isWindows
());
if
(
j
.
jenkins
.
pluginManager
.
getPlugin
(
"credentials"
)
==
null
)
{
((
TestPluginManager
)
j
.
jenkins
.
pluginManager
).
installDetachedPlugin
(
"credentials"
);
}
j
.
createWebClient
().
goTo
(
"plugin/credentials/images/24x24/credentials.png"
,
"image/png"
);
JenkinsRule
.
WebClient
wc
=
j
.
createWebClient
();
wc
.
getOptions
().
setThrowExceptionOnFailingStatusCode
(
false
);
WebRequest
request
=
new
WebRequest
(
new
URL
(
j
.
getURL
()
+
"plugin/credentials/.xml"
));
// plugin deployed in: test\target\jenkins7375296945862059919tmp
// rootDir is in : test\target\jenkinsTests.tmp\jenkins1274934531848159942test
// j.jenkins.getRootDir().getName() = jenkins1274934531848159942test
request
.
setAdditionalHeader
(
"Accept-Language"
,
"../../../../jenkinsTests.tmp/"
+
j
.
jenkins
.
getRootDir
().
getName
()
+
"/config"
);
Page
p
=
wc
.
getPage
(
request
);
assertEquals
(
p
.
getWebResponse
().
getStatusCode
(),
404
);
assertNotEquals
(
p
.
getWebResponse
().
getContentType
(),
"application/xml"
);
}
@Test
public
void
cannotUseInvalidLocale_toAnyFileInSystem
()
throws
Exception
{
Assume
.
assumeTrue
(
Functions
.
isWindows
());
if
(
j
.
jenkins
.
pluginManager
.
getPlugin
(
"credentials"
)
==
null
)
{
((
TestPluginManager
)
j
.
jenkins
.
pluginManager
).
installDetachedPlugin
(
"credentials"
);
}
j
.
createWebClient
().
goTo
(
"plugin/credentials/images/24x24/credentials.png"
,
"image/png"
);
JenkinsRule
.
WebClient
wc
=
j
.
createWebClient
();
wc
.
getOptions
().
setThrowExceptionOnFailingStatusCode
(
false
);
WebRequest
request
=
new
WebRequest
(
new
URL
(
j
.
getURL
()
+
"plugin/credentials/.ini"
));
// ../ can be multiply to infinity, no impact, we just need to have enough to reach the root
request
.
setAdditionalHeader
(
"Accept-Language"
,
"../../../../../../../../../../../../windows/win"
);
Page
p
=
wc
.
getPage
(
request
);
assertEquals
(
p
.
getWebResponse
().
getStatusCode
(),
404
);
assertEquals
(
p
.
getWebResponse
().
getContentType
(),
"text/html"
);
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录