Fix CVE 2019 10474 and bump dependencies (#12)

* Fix CVE-2019-10474 * update minimal jenkins version remove deprecated calls to jenkins api * change build config
jenkinsci · Mar 24, 2023 · 6ef4d89 · 6ef4d89
1 parent 8893f9b
commit 6ef4d89
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 21 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,2 +1,5 @@
-buildPlugin(configurations: buildPlugin.recommendedConfigurations())
-
+buildPlugin(
+  configurations: [
+    [platform: 'linux', jdk: 11],
+    [platform: 'windows', jdk: 11],
+])
diff --git a/pom.xml b/pom.xml
@@ -4,11 +4,11 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>4.37</version>
+        <version>4.54</version>
         <relativePath />
     </parent>
   <artifactId>global-post-script</artifactId>
-  <version>1.1.5-SNAPSHOT</version>
+  <version>1.1.6-SNAPSHOT</version>
   <packaging>hpi</packaging>
 
   <url>https://wiki.jenkins-ci.org/display/JENKINS/Global+Post+Script+Plugin</url>
@@ -23,8 +23,7 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <java.level>8</java.level>
-    <jenkins.version>2.303.3</jenkins.version>
+    <jenkins.version>2.375.2</jenkins.version>
   </properties>
 
   <developers>
@@ -65,7 +64,6 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-release-plugin</artifactId>
-        <version>2.5</version>
         <configuration>
           <goals>deploy</goals>
         </configuration>

diff --git a/src/main/java/com/orctom/jenkins/plugin/globalpostscript/GlobalPostScript.java b/src/main/java/com/orctom/jenkins/plugin/globalpostscript/GlobalPostScript.java
@@ -54,7 +54,7 @@ public void onCompleted(Run run, TaskListener listener) {
     }
 
     String script = getDescriptorImpl().getScript();
-    File file = new File(Jenkins.getInstance().getRootDir().getAbsolutePath() + SCRIPT_FOLDER, script);
+    File file = new File(Jenkins.get().getRootDir().getAbsolutePath() + SCRIPT_FOLDER, script);
     if (file.exists()) {
       try {
         BadgeManager manager = new BadgeManager(run, listener);
@@ -83,7 +83,7 @@ public Descriptor<GlobalPostScript> getDescriptor() {
   }
 
   public DescriptorImpl getDescriptorImpl() {
-    return (DescriptorImpl) Jenkins.getInstance().getDescriptorOrDie(GlobalPostScript.class);
+    return (DescriptorImpl) Jenkins.get().getDescriptorOrDie(GlobalPostScript.class);
   }
 
   @SuppressWarnings("unchecked")
@@ -141,11 +141,11 @@ public void triggerJob(String jobName, Map<String, String> params) {
       for (Map.Entry<String, String> entry : params.entrySet()) {
         newParams.add(new StringParameterValue(entry.getKey(), entry.getValue()));
       }
-      AbstractProject job = Jenkins.getInstance().getItem(jobName, run.getParent().getParent(), AbstractProject.class);
+      AbstractProject job = Jenkins.get().getItem(jobName, run.getParent().getParent(), AbstractProject.class);
       if (null != job) {
         Cause cause = new Cause.UpstreamCause(run);
         boolean scheduled = job.scheduleBuild(job.getQuietPeriod(), cause, new ParametersAction(newParams));
-        if (Jenkins.getInstance().getItemByFullName(job.getFullName()) == job) {
+        if (Jenkins.get().getItemByFullName(job.getFullName()) == job) {
           String name = ModelHyperlinkNote.encodeTo(job) + "  "
               + ModelHyperlinkNote.encodeTo(
               job.getAbsoluteUrl() + job.getNextBuildNumber() + "/",
@@ -201,7 +201,7 @@ public String getCause() {
         }
       }
 
-      String rootUrl = Jenkins.getInstance().getRootUrl();
+      String rootUrl = Jenkins.get().getRootUrl();
       if (StringUtils.isNotEmpty(rootUrl)) {
         cause.append("on ").append(rootUrl).append(" ");
       }
@@ -226,6 +226,7 @@ public DescriptorImpl() {
     }
 
     public FormValidation doCheckScript(@QueryParameter("script") String name) throws IOException, ServletException {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER);
       if (StringUtils.isEmpty(name)) {
         return FormValidation.error("Please set the script name");
       }
@@ -238,7 +239,7 @@ public FormValidation doCheckScript(@QueryParameter("script") String name) throw
     public ComboBoxModel doFillScriptItems() {
       ComboBoxModel items = new ComboBoxModel();
 
-      File scriptFolder = new File(Jenkins.getInstance().getRootDir().getAbsolutePath() + SCRIPT_FOLDER);
+      File scriptFolder = new File(Jenkins.get().getRootDir().getAbsolutePath() + SCRIPT_FOLDER);
       FilenameFilter filter = new FilenameFilter() {
         public boolean accept(File dir, String name) {
           String fileName = name.toLowerCase();

diff --git a/src/main/java/com/orctom/jenkins/plugin/globalpostscript/GlobalPostScriptAction.java b/src/main/java/com/orctom/jenkins/plugin/globalpostscript/GlobalPostScriptAction.java
@@ -33,7 +33,7 @@ private static String getIconPath(String icon) {
       return null;
     }
 
-    PluginWrapper wrapper = Jenkins.getInstance().getPluginManager().getPlugin(GlobalPostScriptPlugin.class);
+    PluginWrapper wrapper = Jenkins.get().getPluginManager().getPlugin(GlobalPostScriptPlugin.class);
     boolean pluginIconExists = (wrapper != null) && new File(wrapper.baseResourceURL.getPath() + "/img/" + icon).exists();
     return pluginIconExists ? "/plugin/global-post-script/img/" + icon : Jenkins.RESOURCE_PATH + "/images/16x16/" + icon;
   }

diff --git a/src/main/java/com/orctom/jenkins/plugin/globalpostscript/runner/GroovyScriptRunner.java b/src/main/java/com/orctom/jenkins/plugin/globalpostscript/runner/GroovyScriptRunner.java
@@ -42,11 +42,14 @@ public void run(File scriptFile,
   }
 
   protected ClassLoader getGroovyClassloader() {
-    if (null == Jenkins.getInstance()) {
+    try {
+      Jenkins.get();
+    }
+    catch (IllegalStateException e){
       return getParentClassloader();
     }
-
-    File libFolder = new File(Jenkins.getInstance().getRootDir().getAbsolutePath() + GlobalPostScript.SCRIPT_FOLDER, "lib");
+    
+    File libFolder = new File(Jenkins.get().getRootDir().getAbsolutePath() + GlobalPostScript.SCRIPT_FOLDER, "lib");
     return getGroovyClassloader(libFolder);
   }
 

diff --git a/src/main/java/com/orctom/jenkins/plugin/globalpostscript/runner/ScriptRunner.java b/src/main/java/com/orctom/jenkins/plugin/globalpostscript/runner/ScriptRunner.java
@@ -1,7 +1,6 @@
 package com.orctom.jenkins.plugin.globalpostscript.runner;
 
 import com.orctom.jenkins.plugin.globalpostscript.GlobalPostScript;
-import groovy.lang.GroovyClassLoader;
 import hudson.model.TaskListener;
 import jenkins.model.Jenkins;
 
@@ -24,9 +23,10 @@ protected void println(TaskListener listener, String message) {
   }
 
   protected ClassLoader getParentClassloader() {
-    if (null != Jenkins.getInstance()) {
-      return Jenkins.getInstance().getPluginManager().uberClassLoader;
-    } else {
+    try {
+      return Jenkins.get().getPluginManager().uberClassLoader;
+    }
+    catch (IllegalStateException e){
       return Thread.currentThread().getContextClassLoader();
     }
   }