From 4cf2dc5d8776b119e25d203abbe695fc618c5129 Mon Sep 17 00:00:00 2001 From: Swapna Date: Mon, 4 Nov 2024 12:52:17 +0530 Subject: [PATCH] SECURITY-3447 --- .../scripts/ClasspathEntry.java | 4 ++ .../scripts/ClasspathEntryTest.java | 39 ++++++++++++++++++- 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java index 1a59b008d..051979517 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java @@ -28,6 +28,7 @@ import java.io.File; import java.io.Serializable; +import jenkins.model.Jenkins; import org.apache.commons.lang.StringUtils; import org.kohsuke.accmod.Restricted; import org.kohsuke.accmod.restrictions.NoExternalUse; @@ -204,6 +205,9 @@ public String getDisplayName() { } public FormValidation doCheckPath(@QueryParameter String value, @QueryParameter String oldPath, @QueryParameter boolean shouldBeApproved) { + if(!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) { + return FormValidation.ok(); + } if (StringUtils.isBlank(value)) { return FormValidation.warning("Enter a file path or URL."); // TODO I18N } diff --git a/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java b/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java index 58926a68f..e926b7dd9 100644 --- a/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java +++ b/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java @@ -29,17 +29,50 @@ import java.io.File; import java.net.MalformedURLException; import java.net.URL; +import java.nio.file.Files; +import java.nio.file.Path; +import jenkins.model.Jenkins; +import org.htmlunit.html.HtmlPage; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.emptyString; import static org.junit.Assert.*; -import org.jvnet.hudson.test.Issue; + +import org.jvnet.hudson.test.*; public class ClasspathEntryTest { @Rule public TemporaryFolder rule = new TemporaryFolder(); - + @Rule public JenkinsRule jr = new JenkinsRule(); + + @Issue("SECURITY-3447") + @Test + public void testDoCheckPath() throws Exception { + jr.jenkins.setSecurityRealm(jr.createDummySecurityRealm()); + jr.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy(). + grant(Jenkins.ADMINISTER).everywhere().to("admin") + .grant(Jenkins.READ).everywhere().to("dev")); + Path path = Files.createTempDirectory("temp dir"); + try(JenkinsRule.WebClient webClient = jr.createWebClient()) { + webClient.login("admin"); + final HtmlPage adminPage = webClient.goTo("descriptor/org.jenkinsci.plugins.scriptsecurity.scripts.ClasspathEntry/checkPath?value=" + path.toUri()); + final String adminContent = adminPage.asXml(); + assertThat(adminContent, containsString("Class directories are not allowed as classpath entries.")); + } + try (JenkinsRule.WebClient devWebClient = jr.createWebClient()) { + devWebClient.login("dev"); + final HtmlPage devPage = devWebClient.goTo("descriptor/org.jenkinsci.plugins.scriptsecurity.scripts.ClasspathEntry/checkPath?value=" + path.toUri()); + final String devContent = devPage.asNormalizedText(); + assertThat(devContent, emptyString()); + } + Files.deleteIfExists(path); + + } + + @WithoutJenkins @Test public void pathURLConversion() throws Exception { if (!Functions.isWindows()) { assertRoundTrip("/tmp/x.jar", "file:/tmp/x.jar"); @@ -54,6 +87,7 @@ private static void assertRoundTrip(String path, String url) throws Exception { assertEquals(url, ClasspathEntry.pathToURL(path).toString()); } + @WithoutJenkins @Test public void classDirDetected() throws Exception { final File tmpDir = rule.newFolder(); assertTrue("Existing directory must be detected", ClasspathEntry.isClassDirectoryURL(tmpDir.toURI().toURL())); @@ -67,6 +101,7 @@ private static void assertRoundTrip(String path, String url) throws Exception { assertFalse("Generic URLs ending in / are not considered class directories", ClasspathEntry.isClassDirectoryURL(new URL("http://example.com/file"))); } + @WithoutJenkins @Issue("JENKINS-37599") @Test public void pathToURL() throws Exception { ClasspathEntry ignore = new ClasspathEntry("http://nowhere.net/");