Merge pull request #73 from jenkinsci-cert/20161116-for-1.625

[SECURITY-360] 2016/11/16 security fix for 1.625

Merge pull request #73 from jenkinsci-cert/20161116-for-1.625
[SECURITY-360] 2016/11/16 security fix for 1.625
ce8a2d51 · Jesse Glick · GitHub · e7db5264 · b379e773 · ce8a2d51
4 changed file
--- a/pom.xml
+++ b/pom.xml
@@ -179,7 +179,7 @@ THE SOFTWARE.
      <dependency>
        <groupId>org.jenkins-ci.main</groupId>
        <artifactId>remoting</artifactId>
-        <version>2.53.3</version>
+        <version>2.53.4</version>
      </dependency>

      <dependency>

--- a/test/src/test/java/jenkins/security/Security218CliTest.java
+++ b/test/src/test/java/jenkins/security/Security218CliTest.java
@@ -161,6 +161,15 @@ public class Security218CliTest {
        probe(Payload.Spring2, -1);
    }
    
+    @PresetData(PresetData.DataSet.ANONYMOUS_READONLY)
+    @Test
+    @Issue("SECURITY-360")
+    public void ldap() throws Exception {
+        // with a proper fix, this should fail with EXIT_CODE_REJECTED
+        // otherwise this will fail with -1 exit code
+        probe(Payload.Ldap, PayloadCaller.EXIT_CODE_REJECTED);
+    }
+
    private void probe(Payload payload, int expectedResultCode) throws Exception {
        File file = File.createTempFile("security-218", payload + "-payload");
        File moved = new File(file.getAbsolutePath() + "-moved");

--- a/test/src/test/java/jenkins/security/security218/Payload.java
+++ b/test/src/test/java/jenkins/security/security218/Payload.java
@@ -24,7 +24,6 @@
 package jenkins.security.security218;

 import jenkins.security.security218.ysoserial.payloads.*;
-import net.sf.json.JSON;


 /**
@@ -46,8 +45,10 @@ public enum Payload {
    JRMPListener(JRMPListener.class),
    JSON1(JSON1.class),
    Spring1(Spring1.class),
-    Spring2(Spring2.class);
-    
+    Spring2(Spring2.class),
+    Ldap(Ldap.class),
+    ;
+
    private final Class<? extends ObjectPayload> payloadClass;
    
    private Payload(Class<? extends ObjectPayload> payloadClass) {

--- a/test/src/test/java/jenkins/security/security218/ysoserial/payloads/Ldap.java
+++ b/test/src/test/java/jenkins/security/security218/ysoserial/payloads/Ldap.java
+package jenkins.security.security218.ysoserial.payloads;
+
+import jenkins.security.security218.ysoserial.util.PayloadRunner;
+
+import java.lang.reflect.Constructor;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class Ldap extends PayloadRunner implements ObjectPayload<Object> {
+
+	public Object getObject(final String command) throws Exception {
+	    // this is not a fully exploit, so we cannot honor the command,
+        // but we want to check that we are blocking LdapAttribute
+        Class<?> c = Class.forName("com.sun.jndi.ldap.LdapAttribute");
+        Constructor<?> ctr = c.getDeclaredConstructor(String.class);
+        ctr.setAccessible(true);
+        return ctr.newInstance("foo");
+	}
+
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(Ldap.class, args);
+	}
+}