Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
eecef803
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
eecef803
编写于
7月 02, 2019
作者:
J
Jeff Thompson
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'security-stable-2.150' into security-stable-2.164
上级
b330f719
5126b6c0
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
110 addition
and
3 deletion
+110
-3
core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
...rc/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
+21
-3
test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerSEC626Test.java
...va/hudson/security/csrf/DefaultCrumbIssuerSEC626Test.java
+89
-0
未找到文件。
core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
浏览文件 @
eecef803
...
@@ -18,14 +18,19 @@ import hudson.Util;
...
@@ -18,14 +18,19 @@ import hudson.Util;
import
jenkins.model.Jenkins
;
import
jenkins.model.Jenkins
;
import
hudson.model.ModelObject
;
import
hudson.model.ModelObject
;
import
javax.annotation.Nonnull
;
import
javax.servlet.ServletRequest
;
import
javax.servlet.ServletRequest
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpSession
;
import
jenkins.security.HexStringConfidentialKey
;
import
jenkins.security.HexStringConfidentialKey
;
import
net.sf.json.JSONObject
;
import
net.sf.json.JSONObject
;
import
org.acegisecurity.Authentication
;
import
org.acegisecurity.Authentication
;
import
org.jenkinsci.Symbol
;
import
org.jenkinsci.Symbol
;
import
org.kohsuke.accmod.Restricted
;
import
org.kohsuke.accmod.restrictions.NoExternalUse
;
import
org.kohsuke.stapler.DataBoundConstructor
;
import
org.kohsuke.stapler.DataBoundConstructor
;
import
org.kohsuke.stapler.StaplerRequest
;
import
org.kohsuke.stapler.StaplerRequest
;
...
@@ -39,6 +44,9 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
...
@@ -39,6 +44,9 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
private
transient
MessageDigest
md
;
private
transient
MessageDigest
md
;
private
boolean
excludeClientIPFromCrumb
;
private
boolean
excludeClientIPFromCrumb
;
@Restricted
(
NoExternalUse
.
class
)
public
static
/* non-final: Groovy Console */
boolean
EXCLUDE_SESSION_ID
=
SystemProperties
.
getBoolean
(
DefaultCrumbIssuer
.
class
.
getName
()
+
".EXCLUDE_SESSION_ID"
);
@DataBoundConstructor
@DataBoundConstructor
public
DefaultCrumbIssuer
(
boolean
excludeClientIPFromCrumb
)
{
public
DefaultCrumbIssuer
(
boolean
excludeClientIPFromCrumb
)
{
try
{
try
{
...
@@ -76,13 +84,15 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
...
@@ -76,13 +84,15 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
HttpServletRequest
req
=
(
HttpServletRequest
)
request
;
HttpServletRequest
req
=
(
HttpServletRequest
)
request
;
StringBuilder
buffer
=
new
StringBuilder
();
StringBuilder
buffer
=
new
StringBuilder
();
Authentication
a
=
Jenkins
.
getAuthentication
();
Authentication
a
=
Jenkins
.
getAuthentication
();
if
(
a
!=
null
)
{
buffer
.
append
(
a
.
getName
());
buffer
.
append
(
a
.
getName
());
}
buffer
.
append
(
';'
);
buffer
.
append
(
';'
);
if
(!
isExcludeClientIPFromCrumb
())
{
if
(!
isExcludeClientIPFromCrumb
())
{
buffer
.
append
(
getClientIP
(
req
));
buffer
.
append
(
getClientIP
(
req
));
}
}
if
(!
EXCLUDE_SESSION_ID
)
{
buffer
.
append
(
';'
);
buffer
.
append
(
getSessionId
(
req
));
}
md
.
update
(
buffer
.
toString
().
getBytes
());
md
.
update
(
buffer
.
toString
().
getBytes
());
return
Util
.
toHexString
(
md
.
digest
(
salt
.
getBytes
()));
return
Util
.
toHexString
(
md
.
digest
(
salt
.
getBytes
()));
...
@@ -91,6 +101,14 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
...
@@ -91,6 +101,14 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
return
null
;
return
null
;
}
}
private
String
getSessionId
(
@Nonnull
HttpServletRequest
request
)
{
HttpSession
session
=
request
.
getSession
(
false
);
if
(
session
==
null
)
{
return
"NO_SESSION"
;
}
return
session
.
getId
();
}
/**
/**
* {@inheritDoc}
* {@inheritDoc}
*/
*/
...
...
test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerSEC626Test.java
0 → 100644
浏览文件 @
eecef803
/**
* Copyright (c) 2008-2010 Yahoo! Inc.
* All rights reserved.
* The copyrights to the contents of this file are licensed under the MIT License (http://www.opensource.org/licenses/mit-license.php)
*/
package
hudson.security.csrf
;
import
com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException
;
import
com.gargoylesoftware.htmlunit.html.DomElement
;
import
com.gargoylesoftware.htmlunit.html.HtmlPage
;
import
hudson.model.User
;
import
org.junit.Before
;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.Issue
;
import
org.jvnet.hudson.test.JenkinsRule
;
import
org.jvnet.hudson.test.JenkinsRule.WebClient
;
import
static
org
.
junit
.
Assert
.
assertEquals
;
import
static
org
.
junit
.
Assert
.
assertTrue
;
import
static
org
.
junit
.
Assert
.
fail
;
/**
*
* @author dty
*/
//TODO merge back to DefaultCrumbIssuerTest
public
class
DefaultCrumbIssuerSEC626Test
{
@Rule
public
JenkinsRule
r
=
new
JenkinsRule
();
@Before
public
void
setIssuer
()
{
r
.
jenkins
.
setCrumbIssuer
(
new
DefaultCrumbIssuer
(
false
));
}
@Test
@Issue
(
"SECURITY-626"
)
public
void
crumbOnlyValidForOneSession
()
throws
Exception
{
r
.
jenkins
.
setSecurityRealm
(
r
.
createDummySecurityRealm
());
DefaultCrumbIssuer
issuer
=
new
DefaultCrumbIssuer
(
false
);
r
.
jenkins
.
setCrumbIssuer
(
issuer
);
User
.
getById
(
"foo"
,
true
);
DefaultCrumbIssuer
.
EXCLUDE_SESSION_ID
=
true
;
compareDifferentSessions_tokenAreEqual
(
true
);
DefaultCrumbIssuer
.
EXCLUDE_SESSION_ID
=
false
;
compareDifferentSessions_tokenAreEqual
(
false
);
}
private
void
compareDifferentSessions_tokenAreEqual
(
boolean
areEqual
)
throws
Exception
{
WebClient
wc
=
r
.
createWebClient
();
wc
.
login
(
"foo"
);
HtmlPage
p
=
wc
.
goTo
(
"configure"
);
String
crumb1
=
p
.
getElementByName
(
"Jenkins-Crumb"
).
getAttribute
(
"value"
);
r
.
submit
(
p
.
getFormByName
(
"config"
));
wc
.
goTo
(
"logout"
);
wc
.
login
(
"foo"
);
p
=
wc
.
goTo
(
"configure"
);
String
crumb2
=
p
.
getElementByName
(
"Jenkins-Crumb"
).
getAttribute
(
"value"
);
r
.
submit
(
p
.
getFormByName
(
"config"
));
assertEquals
(
crumb1
.
equals
(
crumb2
),
areEqual
);
if
(
areEqual
)
{
r
.
submit
(
p
.
getFormByName
(
"config"
));
}
else
{
replaceAllCrumbInPageBy
(
p
,
crumb1
);
try
{
// submit the form with previous session crumb
r
.
submit
(
p
.
getFormByName
(
"config"
));
fail
();
}
catch
(
FailingHttpStatusCodeException
e
)
{
assertTrue
(
e
.
getMessage
().
contains
(
"No valid crumb"
));
}
}
}
private
void
replaceAllCrumbInPageBy
(
HtmlPage
page
,
String
newCrumb
)
{
for
(
DomElement
el
:
page
.
getElementsByName
(
"Jenkins-Crumb"
))
{
el
.
setAttribute
(
"value"
,
newCrumb
);
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录