-
Notifications
You must be signed in to change notification settings - Fork 717
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-Authored-By: Francisco Javier Fernandez Gonzalez <fjfernandez@cloudbees.com>
- Loading branch information
1 parent
1c531c1
commit b48a292
Showing
8 changed files
with
232 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
83 changes: 83 additions & 0 deletions
83
integrations/src/test/java/io/jenkins/plugins/casc/Security1446Test.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
package io.jenkins.plugins.casc; | ||
|
||
import com.cloudbees.plugins.credentials.CredentialsProvider; | ||
import com.cloudbees.plugins.credentials.CredentialsScope; | ||
import com.cloudbees.plugins.credentials.casc.CredentialsRootConfigurator; | ||
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials; | ||
import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl; | ||
import hudson.ExtensionList; | ||
import io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator; | ||
import io.jenkins.plugins.casc.misc.ConfiguredWithCode; | ||
import io.jenkins.plugins.casc.misc.JenkinsConfiguredWithCodeRule; | ||
import io.jenkins.plugins.casc.model.CNode; | ||
import io.jenkins.plugins.casc.snakeyaml.error.YAMLException; | ||
import io.jenkins.plugins.casc.snakeyaml.nodes.Node; | ||
import java.io.IOException; | ||
import java.io.StringWriter; | ||
import java.util.Collections; | ||
import java.util.List; | ||
import jenkins.model.Jenkins; | ||
import org.jenkinsci.plugins.plaincredentials.StringCredentials; | ||
import org.junit.Rule; | ||
import org.junit.Test; | ||
import org.jvnet.hudson.test.Issue; | ||
|
||
import static org.hamcrest.Matchers.containsString; | ||
import static org.hamcrest.Matchers.is; | ||
import static org.hamcrest.Matchers.not; | ||
import static org.junit.Assert.assertThat; | ||
import static org.junit.Assert.assertTrue; | ||
|
||
public class Security1446Test { | ||
|
||
@Rule | ||
public JenkinsConfiguredWithCodeRule j = new JenkinsConfiguredWithCodeRule(); | ||
|
||
private static final String PATH_PATTERN = "path = \\$\\{PATH\\}"; | ||
private static final String JAVA_HOME_PATTERN = "java-home = \\$\\{JAVA_HOME\\}"; | ||
|
||
@ConfiguredWithCode("Security1446Test.yml") | ||
@Test | ||
@Issue("SECURITY-1446") | ||
public void testImportWithEnvVar() { | ||
List<StandardUsernamePasswordCredentials> userPasswCred = CredentialsProvider.lookupCredentials(StandardUsernamePasswordCredentials.class,Jenkins.getInstanceOrNull(), null, Collections.emptyList()); | ||
assertThat(userPasswCred.size(), is(1)); | ||
for (StandardUsernamePasswordCredentials cred : userPasswCred) { | ||
assertTrue("The JAVA_HOME environment variable should not be resolved", cred.getUsername().matches(JAVA_HOME_PATTERN)); | ||
assertTrue("The PATH environment variable should not be resolved", cred.getDescription().matches(PATH_PATTERN)); | ||
} | ||
|
||
List<StringCredentials> stringCred = CredentialsProvider.lookupCredentials(StringCredentials.class,Jenkins.getInstanceOrNull(), null, Collections.emptyList()); | ||
assertThat(stringCred.size(), is(1)); | ||
for (StringCredentials cred : stringCred) { | ||
assertTrue("The PATH environment variable should not be resolved", cred.getDescription().matches(PATH_PATTERN)); | ||
} | ||
} | ||
|
||
@Test | ||
@Issue("SECURITY-1446") | ||
public void testExportWithEnvVar() throws Exception { | ||
final String message = "Hello, world! PATH=${PATH} JAVA_HOME=^${JAVA_HOME}"; | ||
ConfiguratorRegistry registry = ConfiguratorRegistry.get(); | ||
ConfigurationContext context = new ConfigurationContext(registry); | ||
CredentialsRootConfigurator root = ExtensionList.lookupSingleton(CredentialsRootConfigurator.class); | ||
|
||
DataBoundConfigurator<UsernamePasswordCredentialsImpl> configurator = new DataBoundConfigurator<>(UsernamePasswordCredentialsImpl.class); | ||
UsernamePasswordCredentialsImpl creds = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "test", | ||
message, "foo", "bar"); | ||
final CNode config = configurator.describe(creds, context); | ||
final Node valueNode = ConfigurationAsCode.get().toYaml(config); | ||
final String exported; | ||
try (StringWriter writer = new StringWriter()) { | ||
ConfigurationAsCode.serializeYamlNode(valueNode, writer); | ||
exported = writer.toString(); | ||
} catch (IOException e) { | ||
throw new YAMLException(e); | ||
} | ||
|
||
assertThat("Message was not escaped", exported, not(containsString(message))); | ||
assertThat("Improper masking for PATH", exported, containsString("^${PATH}")); | ||
assertThat("Improper masking for JAVA_HOME", exported, containsString("^^${JAVA_HOME}")); | ||
} | ||
|
||
} |
15 changes: 15 additions & 0 deletions
15
integrations/src/test/resources/io/jenkins/plugins/casc/Security1446Test.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
credentials: | ||
system: | ||
domainCredentials: | ||
- credentials: | ||
- string: | ||
description: "path = ^${PATH}" | ||
id: "system secret escaped" | ||
scope: SYSTEM | ||
secret: "{AQAAABAAAAAQwDmo12BE6995SezdXe1Y9ewaoYR6KgzX46VjtoPDqE0=}" | ||
- usernamePassword: | ||
description: "path = ^${PATH}" | ||
id: "global user-passw escaped" | ||
password: "{AQAAABAAAAAQpNs2vtahkRGcR5vzanaIb4UJkCyeNGdP23/X3+Tl1Ic=}" | ||
scope: GLOBAL | ||
username: "java-home = ^${JAVA_HOME}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters