Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
dbab00ab
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
dbab00ab
编写于
8月 01, 2018
作者:
D
Daniel Beck
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'security-stable-2.89' into security-stable-2.107
上级
386599c4
df1250ab
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
297 addition
and
1 deletion
+297
-1
core/src/main/java/hudson/util/XStream2.java
core/src/main/java/hudson/util/XStream2.java
+3
-0
core/src/main/java/jenkins/util/xstream/SafeURLConverter.java
.../src/main/java/jenkins/util/xstream/SafeURLConverter.java
+55
-0
pom.xml
pom.xml
+1
-1
test/src/test/java/jenkins/security/Security637Test.java
test/src/test/java/jenkins/security/Security637Test.java
+238
-0
未找到文件。
core/src/main/java/hudson/util/XStream2.java
浏览文件 @
dbab00ab
...
...
@@ -54,6 +54,7 @@ import hudson.diagnosis.OldDataMonitor;
import
hudson.remoting.ClassFilter
;
import
hudson.util.xstream.ImmutableSetConverter
;
import
hudson.util.xstream.ImmutableSortedSetConverter
;
import
jenkins.util.xstream.SafeURLConverter
;
import
jenkins.model.Jenkins
;
import
hudson.model.Label
;
import
hudson.model.Result
;
...
...
@@ -248,6 +249,8 @@ public class XStream2 extends XStream {
registerConverter
(
new
CopyOnWriteMap
.
Tree
.
ConverterImpl
(
getMapper
()),
10
);
// needs to override MapConverter
registerConverter
(
new
DescribableList
.
ConverterImpl
(
getMapper
()),
10
);
// explicitly added to handle subtypes
registerConverter
(
new
Label
.
ConverterImpl
(),
10
);
// SECURITY-637 against URL deserialization
registerConverter
(
new
SafeURLConverter
(),
10
);
// this should come after all the XStream's default simpler converters,
// but before reflection-based one kicks in.
...
...
core/src/main/java/jenkins/util/xstream/SafeURLConverter.java
0 → 100644
浏览文件 @
dbab00ab
/*
* The MIT License
*
* Copyright (c) 2018 CloudBees, Inc.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package
jenkins.util.xstream
;
import
com.thoughtworks.xstream.converters.ConversionException
;
import
com.thoughtworks.xstream.converters.basic.URLConverter
;
import
hudson.remoting.URLDeserializationHelper
;
import
org.kohsuke.accmod.Restricted
;
import
org.kohsuke.accmod.restrictions.NoExternalUse
;
import
java.io.IOException
;
import
java.net.URL
;
import
java.net.URLStreamHandler
;
/**
* Wrap the URL handler during deserialization into a specific one that does not generate DNS query on the hostname
* for {@link URLStreamHandler#equals(URL, URL)} or {@link URLStreamHandler#hashCode(URL)}.
* Required to protect against SECURITY-637
*
* @since TODO
*/
@Restricted
(
NoExternalUse
.
class
)
public
class
SafeURLConverter
extends
URLConverter
{
@Override
public
Object
fromString
(
String
str
)
{
URL
url
=
(
URL
)
super
.
fromString
(
str
);
try
{
return
URLDeserializationHelper
.
wrapIfRequired
(
url
);
}
catch
(
IOException
e
)
{
throw
new
ConversionException
(
e
);
}
}
}
pom.xml
浏览文件 @
dbab00ab
...
...
@@ -105,7 +105,7 @@ THE SOFTWARE.
<maven-war-plugin.version>
3.0.0
</maven-war-plugin.version>
<!-- JENKINS-47127 bump when 3.2.0 is out. Cf. MWAR-407 -->
<!-- Minimum Remoting version, which is tested for API compatibility -->
<remoting.version>
3.17
</remoting.version>
<remoting.version>
3.17
.1
</remoting.version>
<remoting.minimum.supported.version>
2.60
</remoting.minimum.supported.version>
</properties>
...
...
test/src/test/java/jenkins/security/Security637Test.java
0 → 100644
浏览文件 @
dbab00ab
/*
* The MIT License
*
* Copyright (c) 2018 CloudBees, Inc.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package
jenkins.security
;
import
hudson.Launcher
;
import
hudson.model.AbstractBuild
;
import
hudson.model.BuildListener
;
import
hudson.model.FreeStyleProject
;
import
hudson.model.JobProperty
;
import
hudson.model.JobPropertyDescriptor
;
import
hudson.slaves.DumbSlave
;
import
org.apache.commons.lang.StringUtils
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.junit.runners.model.Statement
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.RestartableJenkinsRule
;
import
org.jvnet.hudson.test.TestExtension
;
import
java.io.IOException
;
import
java.lang.reflect.Field
;
import
java.net.URL
;
import
java.net.URLStreamHandler
;
import
java.util.HashSet
;
import
java.util.Set
;
import
static
org
.
hamcrest
.
CoreMatchers
.
containsString
;
import
static
org
.
hamcrest
.
CoreMatchers
.
equalTo
;
import
static
org
.
hamcrest
.
CoreMatchers
.
not
;
import
static
org
.
junit
.
Assert
.
assertEquals
;
import
static
org
.
junit
.
Assert
.
assertNotNull
;
import
static
org
.
junit
.
Assert
.
assertThat
;
public
class
Security637Test
{
@Rule
public
RestartableJenkinsRule
rr
=
new
RestartableJenkinsRule
();
@Test
@Issue
(
"SECURITY-637"
)
public
void
urlSafeDeserialization_handler_inSameJVMRemotingContext
()
{
rr
.
addStep
(
new
Statement
()
{
@Override
public
void
evaluate
()
throws
Exception
{
DumbSlave
slave
=
rr
.
j
.
createOnlineSlave
();
String
unsafeHandlerClassName
=
slave
.
getChannel
().
call
(
new
URLHandlerCallable
(
new
URL
(
"https://www.google.com/"
)));
assertThat
(
unsafeHandlerClassName
,
containsString
(
"SafeURLStreamHandler"
));
String
safeHandlerClassName
=
slave
.
getChannel
().
call
(
new
URLHandlerCallable
(
new
URL
(
"file"
,
null
,
-
1
,
""
,
null
)));
assertThat
(
safeHandlerClassName
,
not
(
containsString
(
"SafeURLStreamHandler"
)));
}
});
}
private
static
class
URLHandlerCallable
extends
MasterToSlaveCallable
<
String
,
Exception
>
{
private
URL
url
;
public
URLHandlerCallable
(
URL
url
)
{
this
.
url
=
url
;
}
@Override
public
String
call
()
throws
Exception
{
Field
handlerField
=
URL
.
class
.
getDeclaredField
(
"handler"
);
handlerField
.
setAccessible
(
true
);
URLStreamHandler
handler
=
(
URLStreamHandler
)
handlerField
.
get
(
url
);
return
handler
.
getClass
().
getName
();
}
}
@Test
@Issue
(
"SECURITY-637"
)
public
void
urlDnsEquivalence
()
{
rr
.
addStep
(
new
Statement
()
{
@Override
public
void
evaluate
()
throws
Exception
{
// due to the DNS resolution they are equal
assertEquals
(
new
URL
(
"https://jenkins.io"
),
new
URL
(
"https://www.jenkins.io"
)
);
}
});
}
@Test
@Issue
(
"SECURITY-637"
)
public
void
urlSafeDeserialization_urlBuiltInAgent_inSameJVMRemotingContext
()
{
rr
.
addStep
(
new
Statement
()
{
@Override
public
void
evaluate
()
throws
Exception
{
DumbSlave
slave
=
rr
.
j
.
createOnlineSlave
();
// we bypass the standard equals method that resolve the hostname
assertThat
(
slave
.
getChannel
().
call
(
new
URLBuilderCallable
(
"https://jenkins.io"
)),
not
(
equalTo
(
slave
.
getChannel
().
call
(
new
URLBuilderCallable
(
"https://www.jenkins.io"
))
))
);
}
});
}
private
static
class
URLBuilderCallable
extends
MasterToSlaveCallable
<
URL
,
Exception
>
{
private
String
url
;
public
URLBuilderCallable
(
String
url
)
{
this
.
url
=
url
;
}
@Override
public
URL
call
()
throws
Exception
{
return
new
URL
(
url
);
}
}
@Test
@Issue
(
"SECURITY-637"
)
public
void
urlSafeDeserialization_urlBuiltInMaster_inSameJVMRemotingContext
()
{
rr
.
addStep
(
new
Statement
()
{
@Override
public
void
evaluate
()
throws
Exception
{
DumbSlave
slave
=
rr
.
j
.
createOnlineSlave
();
// we bypass the standard equals method that resolve the hostname
assertThat
(
slave
.
getChannel
().
call
(
new
URLTransferCallable
(
new
URL
(
"https://jenkins.io"
))),
not
(
equalTo
(
slave
.
getChannel
().
call
(
new
URLTransferCallable
(
new
URL
(
"https://www.jenkins.io"
)))
))
);
// due to the DNS resolution they are equal
assertEquals
(
new
URL
(
"https://jenkins.io"
),
new
URL
(
"https://www.jenkins.io"
)
);
}
});
}
// the URL is serialized / deserialized twice, master => agent and then agent => master
private
static
class
URLTransferCallable
extends
MasterToSlaveCallable
<
URL
,
Exception
>
{
private
URL
url
;
public
URLTransferCallable
(
URL
url
)
{
this
.
url
=
url
;
}
@Override
public
URL
call
()
throws
Exception
{
return
url
;
}
}
@Test
@Issue
(
"SECURITY-637"
)
public
void
urlSafeDeserialization_inXStreamContext
()
{
rr
.
addStep
(
new
Statement
()
{
@Override
public
void
evaluate
()
throws
Exception
{
FreeStyleProject
project
=
rr
.
j
.
createFreeStyleProject
(
"project-with-url"
);
URLJobProperty
URLJobProperty
=
new
URLJobProperty
(
// url to be wrapped
new
URL
(
"https://www.google.com/"
),
// safe url, not required to be wrapped
new
URL
(
"https"
,
null
,
-
1
,
""
,
null
)
);
project
.
addProperty
(
URLJobProperty
);
project
.
save
();
}
});
rr
.
addStep
(
new
Statement
()
{
@Override
public
void
evaluate
()
throws
Exception
{
FreeStyleProject
project
=
rr
.
j
.
jenkins
.
getItemByFullName
(
"project-with-url"
,
FreeStyleProject
.
class
);
assertNotNull
(
project
);
Field
handlerField
=
URL
.
class
.
getDeclaredField
(
"handler"
);
handlerField
.
setAccessible
(
true
);
URLJobProperty
urlJobProperty
=
project
.
getProperty
(
URLJobProperty
.
class
);
for
(
URL
url
:
urlJobProperty
.
urlSet
)
{
URLStreamHandler
handler
=
(
URLStreamHandler
)
handlerField
.
get
(
url
);
if
(
StringUtils
.
isEmpty
(
url
.
getHost
()))
{
assertThat
(
handler
.
getClass
().
getName
(),
not
(
containsString
(
"SafeURLStreamHandler"
)));
}
else
{
assertThat
(
handler
.
getClass
().
getName
(),
containsString
(
"SafeURLStreamHandler"
));
}
}
}
});
}
public
static
class
URLJobProperty
extends
JobProperty
<
FreeStyleProject
>
{
private
Set
<
URL
>
urlSet
;
public
URLJobProperty
(
URL
...
urls
)
throws
Exception
{
this
.
urlSet
=
new
HashSet
<>();
for
(
URL
url
:
urls
)
{
urlSet
.
add
(
url
);
}
}
@Override
public
boolean
perform
(
AbstractBuild
<?,
?>
build
,
Launcher
launcher
,
BuildListener
listener
)
throws
InterruptedException
,
IOException
{
return
true
;
}
@TestExtension
(
"urlSafeDeserialization_inXStreamContext"
)
public
static
class
DescriptorImpl
extends
JobPropertyDescriptor
{}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录