Skip to content

Commit

Permalink
SECURITY-3447
Browse files Browse the repository at this point in the history
  • Loading branch information
SNanda8895 committed Nov 4, 2024
1 parent 57fec39 commit a3bb89f
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import java.io.File;
import java.io.Serializable;

import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
Expand Down Expand Up @@ -204,6 +205,9 @@ public String getDisplayName() {
}

public FormValidation doCheckPath(@QueryParameter String value, @QueryParameter String oldPath, @QueryParameter boolean shouldBeApproved) {
if(!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
return FormValidation.ok();
}
if (StringUtils.isBlank(value)) {
return FormValidation.warning("Enter a file path or URL."); // TODO I18N

Check warning on line 212 in src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java

View check run for this annotation

ci.jenkins.io / Open Tasks Scanner

TODO

NORMAL: I18N
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,17 +29,50 @@
import java.io.File;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;

import jenkins.model.Jenkins;
import org.htmlunit.html.HtmlPage;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.emptyString;
import static org.junit.Assert.*;
import org.jvnet.hudson.test.Issue;

import org.jvnet.hudson.test.*;

public class ClasspathEntryTest {
@Rule public TemporaryFolder rule = new TemporaryFolder();

@Rule public JenkinsRule jr = new JenkinsRule();

@Issue("SECURITY-3447")
@Test
public void testDoCheckPath() throws Exception {
jr.jenkins.setSecurityRealm(jr.createDummySecurityRealm());
jr.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
grant(Jenkins.ADMINISTER).everywhere().to("admin")
.grant(Jenkins.READ).everywhere().to("dev"));
Path path = Files.createTempDirectory("temp dir");
try(JenkinsRule.WebClient webClient = jr.createWebClient()) {
webClient.login("admin");
final HtmlPage adminPage = webClient.goTo("descriptor/org.jenkinsci.plugins.scriptsecurity.scripts.ClasspathEntry/checkPath?value=" + path.toUri());
final String adminContent = adminPage.asXml();
assertThat(adminContent, containsString("Class directories are not allowed as classpath entries."));
}
try (JenkinsRule.WebClient devWebClient = jr.createWebClient()) {
devWebClient.login("dev");
final HtmlPage devPage = devWebClient.goTo("descriptor/org.jenkinsci.plugins.scriptsecurity.scripts.ClasspathEntry/checkPath?value=" + path.toUri());
final String devContent = devPage.asNormalizedText();
assertThat(devContent, emptyString());
}
Files.deleteIfExists(path);

}

@WithoutJenkins
@Test public void pathURLConversion() throws Exception {
if (!Functions.isWindows()) {
assertRoundTrip("/tmp/x.jar", "file:/tmp/x.jar");
Expand All @@ -54,6 +87,7 @@ private static void assertRoundTrip(String path, String url) throws Exception {
assertEquals(url, ClasspathEntry.pathToURL(path).toString());
}

@WithoutJenkins
@Test public void classDirDetected() throws Exception {
final File tmpDir = rule.newFolder();
assertTrue("Existing directory must be detected", ClasspathEntry.isClassDirectoryURL(tmpDir.toURI().toURL()));
Expand All @@ -67,6 +101,7 @@ private static void assertRoundTrip(String path, String url) throws Exception {
assertFalse("Generic URLs ending in / are not considered class directories", ClasspathEntry.isClassDirectoryURL(new URL("http://example.com/file")));
}

@WithoutJenkins
@Issue("JENKINS-37599")
@Test public void pathToURL() throws Exception {
ClasspathEntry ignore = new ClasspathEntry("http://nowhere.net/");
Expand Down

0 comments on commit a3bb89f

Please sign in to comment.