Skip to content
Permalink
Browse files

[JENKINS-49574] - Whitelist calendar classes and improve the unit test

  • Loading branch information...
oleg-nenashev committed Feb 16, 2018
1 parent 566a831 commit c9172d8d113a6ae092d62f6c06426975fb1f7fed
Showing with 30 additions and 4 deletions.
  1. +10 −0 src/main/resources/META-INF/hudson.remoting.ClassFilter
  2. +20 −4 src/test/java/hudson/scm/JEP200Test.java
@@ -0,0 +1,10 @@
# For JENKINS-49574
# Calendar class implementation has a custom deserialization logic, but it seems to be safe.
java.util.Calendar
java.util.GregorianCalendar
java.util.SimpleTimeZone
sun.util.BuddhistCalendar
java.util.JapaneseImperialCalendar
java.util.TimeZone
java.util.SimpleTimeZone
sun.util.calendar.ZoneInfo
@@ -25,14 +25,19 @@

import com.google.common.base.Predicate;
import hudson.remoting.ClassFilter;
import hudson.util.VersionNumber;
import jenkins.model.Jenkins;
import jenkins.security.ClassFilterImpl;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule;
import org.reflections.ReflectionUtils;

import javax.annotation.Nullable;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.util.Set;
import static java.lang.reflect.Modifier.*;

@@ -46,13 +51,24 @@
public JenkinsRule j = new JenkinsRule();

@Test
@Issue("JENKINS-49574")
@Issue("JENKINS-49574") // Fails on Jenkins 2.102+
public void checkClassesForDefaultRemotingBlacklist() {
ClassFilter f = ClassFilter.DEFAULT;
ClassFilter cf;
try {
Class<?> cfclazz = Class.forName("jenkins.security.ClassFilterImpl");
Constructor c = cfclazz.getDeclaredConstructor();
c.setAccessible(true);
cf = (ClassFilter) c.newInstance();
} catch (ClassNotFoundException | IllegalAccessException | NoSuchMethodException | InvocationTargetException | InstantiationException ex) {
if (new VersionNumber(Jenkins.VERSION).isNewerThan(new VersionNumber("2.101"))) {
throw new AssertionError("Jenkins version is newer than 2.101, jenkins.security.ClassFilterImpl should be creatable", ex);
}
cf = ClassFilter.DEFAULT;
}

//TODO: It checks abstract classes, but not implementation
//TODO: Use ReflectionUtils to automatically determine Callable Structures
checkClasses(f, CvsChangeSet.class, CvsFile.class, CVSChangeLogSet.CVSChangeLog.class);
//TODO: Use ReflectionUtils to automatically determine Callable Structures, then move it to a generic test
checkClasses(cf, CvsChangeSet.class, CvsFile.class, CVSChangeLogSet.CVSChangeLog.class);
}

private void checkClasses(ClassFilter cf, Class<?> ... c) throws AssertionError {

0 comments on commit c9172d8

Please sign in to comment.
You can’t perform that action at this time.