Skip to content
Permalink
Browse files

[SECURITY-123] Target the current latest LTS and script-security

There were some problems developing with old Jenkins core:
* Can't run with Java7 for JENKINS-18537. (requires >= 1.557 or 1.554.1)
* doFillItems requires RelativePath in the latest Jenkins, but doesn't work with old Jenkins core. (requires >= 1.526)

I decided to target to the current LTS to avoid any problems with old cores.
  • Loading branch information...
ikedam committed Mar 26, 2017
1 parent ec94034 commit ab3c03d14a891055b09df1b152cac2ce223af471
49 pom.xml
@@ -3,7 +3,7 @@
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
<version>2.11</version><!-- which version of Jenkins is this plugin built against? -->
<version>2.25</version>
</parent>

<groupId>jp.ikedam.jenkins.plugins</groupId>
@@ -37,16 +37,20 @@
</licenses>

<properties>
<jenkins.version>1.509</jenkins.version>
<jenkins-test-harness.version>1.509</jenkins-test-harness.version>
<java.level>5</java.level>
<jenkins.version>2.32</jenkins.version>
</properties>

<dependencies>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>script-security</artifactId>
<version>1.16</version>
<version>1.27</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>matrix-auth</artifactId>
<version>1.4</version>
<scope>test</scope>
</dependency>
</dependencies>

@@ -59,41 +63,6 @@
<compatibleSinceVersion>1.4.0</compatibleSinceVersion>
</configuration>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<!-- jenkins-test-harness < 1.545 doesn't support concurrent tests. -->
<forkCount>1</forkCount>
</configuration>
</plugin>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<id>display-info</id>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<!-- <exclude>org.sonatype.sisu:sisu-guice</exclude> -->
<exclude>log4j:log4j:*:jar:compile</exclude>
<exclude>log4j:log4j:*:jar:runtime</exclude>
<exclude>commons-logging:commons-logging:*:jar:compile</exclude>
<exclude>commons-logging:commons-logging:*:jar:runtime</exclude>
</excludes>
</bannedDependencies>
<enforceBytecodeVersion>
<excludes combine.children="append">
<!-- dependencies via jenkins-core-1.509 -->
<exclude>org.mindrot:jbcrypt</exclude>
<exclude>org.kohsuke:asm3</exclude>
</excludes>
</enforceBytecodeVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>

@@ -26,6 +26,7 @@
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import groovy.lang.Binding;
import hudson.Extension;
import hudson.RelativePath;
import hudson.model.Item;
import hudson.model.AbstractProject;
import hudson.model.Descriptor;
@@ -124,7 +125,12 @@ public String getDisplayName()
* @param usePredefinedVariables
* @return the selection of a default choice
*/
public ListBoxModel doFillDefaultChoiceItems(@AncestorInPath Job<?, ?> job, @QueryParameter String script, @QueryParameter boolean sandbox, @QueryParameter boolean usePredefinedVariables)
public ListBoxModel doFillDefaultChoiceItems(
@AncestorInPath Job<?, ?> job,
@RelativePath("groovyScript") @QueryParameter String script,
@RelativePath("groovyScript") @QueryParameter boolean sandbox,
@QueryParameter boolean usePredefinedVariables
)
{
ListBoxModel ret = new ListBoxModel();
ret.add(Messages.ExtensibleChoiceParameterDefinition_NoDefaultChoice(), NoDefaultChoice);
@@ -174,7 +180,14 @@ public ListBoxModel doFillDefaultChoiceItems(@AncestorInPath Job<?, ?> job, @Que
return ret;
}

public FormValidation doTest(@AncestorInPath Job<?, ?> job, @QueryParameter String script, @QueryParameter boolean sandbox, @QueryParameter boolean usePredefinedVariables)
public FormValidation doTest(
@AncestorInPath Job<?, ?> job,
// Define same as `doFillDefaultChoiceItems`
// though @RelativePath isn't actually necessary here.
@RelativePath("groovyScript") @QueryParameter String script,
@RelativePath("groovyScript") @QueryParameter boolean sandbox,
@QueryParameter boolean usePredefinedVariables
)
{
List<String> choices = null;
Job<?,?> project = null;
@@ -110,6 +110,9 @@ public void testDescriptorDoCheckNameOk()

// OK: blank in the end
assertEquals(descriptor.doCheckName(" _abc_1_2_3 ").kind, FormValidation.Kind.OK);

// OK: value contains dots (accepted since Jenkins 1.526)
assertEquals(descriptor.doCheckName("a.b").kind, FormValidation.Kind.OK);
}

/**
@@ -142,9 +145,6 @@ public void testDescriptorDoCheckNameError()

// WARNING: value contains a multibyte letter.
assertEquals(descriptor.doCheckName("ab").kind, FormValidation.Kind.WARNING);

// WARNING: value contains dots (will be accepted since Jenkins 1.526)
assertEquals(descriptor.doCheckName("a.b").kind, FormValidation.Kind.WARNING);
}

public static class MockChoiceListProvider extends ChoiceListProvider
@@ -23,15 +23,8 @@
*/
package jp.ikedam.jenkins.plugins.extensible_choice_parameter;

import hudson.Util;
import hudson.PluginWrapper;

import java.io.IOException;

import org.apache.commons.httpclient.HttpStatus;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.TestEnvironment;
import org.jvnet.hudson.test.TestPluginManager;

import com.gargoylesoftware.htmlunit.WebResponse;

@@ -40,73 +33,6 @@
*/
public class ExtensibleChoiceParameterJenkinsRule extends JenkinsRule
{
private static Thread deleteThread = null;

/**
* Cleanup the temporary directory created by org.jvnet.hudson.test.TestPluginManager.
* Needed for Jenkins < 1.510
*/
public static synchronized void registerCleanup()
{
if(deleteThread != null)
{
return;
}
deleteThread = new Thread("HOTFIX: cleanup " + TestPluginManager.INSTANCE.rootDir)
{
@Override public void run()
{
if(TestPluginManager.INSTANCE != null
&& TestPluginManager.INSTANCE.rootDir != null
&& TestPluginManager.INSTANCE.rootDir.exists())
{
// Work as PluginManager#stop
for(PluginWrapper p: TestPluginManager.INSTANCE.getPlugins())
{
p.stop();
p.releaseClassLoader();
}
TestPluginManager.INSTANCE.getPlugins().clear();
System.gc();
try
{
Util.deleteRecursive(TestPluginManager.INSTANCE.rootDir);
}
catch (IOException x)
{
x.printStackTrace();
}
}
}
};

Runtime.getRuntime().addShutdownHook(deleteThread);
}

static
{
registerCleanup();
}

@Override
protected void after()
{
super.after();

// TestEnvironment is not cleaned in Jenkins < 1.482.
if(TestEnvironment.get() != null)
{
try
{
TestEnvironment.get().dispose();
}
catch(Exception e)
{
e.printStackTrace();
}
}
}

/**
* Get Web Client that allows 405 Method Not Allowed.
* This happens when accessing build page of a project with parameters.
@@ -373,7 +373,7 @@ public void testDescriptorConfigure() throws Exception
// update the descriptor to the state I want to submit.
descriptor.setChoiceListEntryList(Arrays.asList(validEntry1, validEntry2, validEntry3));

HtmlForm configForm = wc.goTo("/configure").getFormByName("config");
HtmlForm configForm = wc.goTo("configure").getFormByName("config");

// update the descriptor to the another state.
descriptor.setChoiceListEntryList(null);
@@ -402,7 +402,7 @@ public void testDescriptorConfigure() throws Exception
// update the descriptor to the state I want to submit.
descriptor.setChoiceListEntryList(Arrays.asList(invalidEntry1, validEntry2, validEntry3));

HtmlForm configForm = wc.goTo("/configure").getFormByName("config");
HtmlForm configForm = wc.goTo("configure").getFormByName("config");

// update the descriptor to the another state.
descriptor.setChoiceListEntryList(null);
@@ -431,7 +431,7 @@ public void testDescriptorConfigure() throws Exception
// update the descriptor to the state I want to submit.
descriptor.setChoiceListEntryList(null);

HtmlForm configForm = wc.goTo("/configure").getFormByName("config");
HtmlForm configForm = wc.goTo("configure").getFormByName("config");

// update the descriptor to the another state.
descriptor.setChoiceListEntryList(Arrays.asList(validEntry1, validEntry2));
@@ -35,6 +35,7 @@
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;

import java.io.File;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
@@ -52,7 +53,7 @@
import org.jvnet.hudson.test.recipes.LocalData;

import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
import com.gargoylesoftware.htmlunit.html.HtmlElement;
import com.gargoylesoftware.htmlunit.html.DomElement;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlSelect;

@@ -440,7 +441,7 @@ public void testVariables() throws Exception
WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

List<HtmlElement> elements = page.getElementsByTagName("select");
List<DomElement> elements = page.getElementsByTagName("select");
assertEquals(1, elements.size());
assertTrue(elements.get(0) instanceof HtmlSelect);
HtmlSelect sel = (HtmlSelect)elements.get(0);
@@ -465,7 +466,7 @@ public void testProjectVariable() throws Exception
WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

List<HtmlElement> elements = page.getElementsByTagName("select");
List<DomElement> elements = page.getElementsByTagName("select");
assertEquals(1, elements.size());
assertTrue(elements.get(0) instanceof HtmlSelect);
HtmlSelect sel = (HtmlSelect)elements.get(0);
@@ -562,14 +563,17 @@ public void testConfiguration1() throws Exception
@Test
public void testConfiguration2() throws Exception
{
// An arbitrary absolute path
String classPath = new File(j.jenkins.getRootDir(), "userContent/somepath.jar").getAbsolutePath();

ExtensibleChoiceParameterDefinition def = new ExtensibleChoiceParameterDefinition(
"test",
new SystemGroovyChoiceListProvider(
new SecureGroovyScript(
"[1, 2, 3]",
false, // sandbox
Arrays.asList(
new ClasspathEntry("somepath")
new ClasspathEntry(classPath)
)
),
null, // cannot configure default choice without sandbox.

0 comments on commit ab3c03d

Please sign in to comment.
You can’t perform that action at this time.