[SECURITY-1658] Transform initial expressions for parameters in closu…

…re expressions
jenkinsci · Nov 15, 2019 · 22d5172 · 22d5172
1 parent 926d99b
commit 22d5172
Show file tree

Hide file tree

Showing 5 changed files with 179 additions and 2 deletions.
diff --git a/.mvn/extensions.xml b/.mvn/extensions.xml
@@ -0,0 +1,7 @@
+<extensions xmlns="http://maven.apache.org/EXTENSIONS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/EXTENSIONS/1.0.0 http://maven.apache.org/xsd/core-extensions-1.0.0.xsd">
+  <extension>
+    <groupId>io.jenkins.tools.incrementals</groupId>
+    <artifactId>git-changelist-maven-extension</artifactId>
+    <version>1.1</version>
+  </extension>
+</extensions>
diff --git a/.mvn/maven.config b/.mvn/maven.config
@@ -0,0 +1,2 @@
+-Pconsume-incrementals
+-Pmight-produce-incrementals
diff --git a/pom.xml b/pom.xml
@@ -9,13 +9,20 @@
   </parent>
 
   <artifactId>groovy-sandbox</artifactId>
-  <version>1.25-SNAPSHOT</version>
+  <version>${revision}${changelist}</version>
 
   <name>Groovy Sandbox</name>
   <description>Executes untrusted Groovy script safely</description>
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <revision>1.25</revision>
+    <changelist>-SNAPSHOT</changelist>
+    <!-- TODO: Move these three properties to the parent POM or use org.jenkins-ci:jenkins as the parent POM here -->
+    <incrementals-enforce-minimum.version>1.1</incrementals-enforce-minimum.version>
+    <incrementals-plugin.version>1.1</incrementals-plugin.version>
+    <incrementals.url>https://repo.jenkins-ci.org/incrementals/</incrementals.url>
+    <scmTag>HEAD</scmTag>
   </properties>
 
   <repositories>
@@ -33,6 +40,23 @@
   </pluginRepositories>
 
   <build>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <groupId>io.jenkins.tools.incrementals</groupId>
+          <artifactId>incrementals-maven-plugin</artifactId>
+          <version>${incrementals-plugin.version}</version>
+          <configuration>
+            <includes>
+              <include>org.jenkins-ci.*</include>
+              <include>io.jenkins.*</include>
+            </includes>
+            <generateBackupPoms>false</generateBackupPoms>
+            <updateNonincremental>false</updateNonincremental>
+          </configuration>
+        </plugin>
+      </plugins>
+    </pluginManagement>
     <plugins>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
@@ -105,7 +129,7 @@
     <connection>scm:git:git@github.com/jenkinsci/${project.artifactId}.git</connection>
     <developerConnection>scm:git:ssh://git@github.com/jenkinsci/${project.artifactId}.git</developerConnection>
     <url>http://${project.artifactId}.kohsuke.org/</url>
-    <tag>HEAD</tag>
+    <tag>${scmTag}</tag>
   </scm>
 
   <distributionManagement>
@@ -122,4 +146,133 @@
       </plugin>
     </plugins>
   </reporting>
+
+  <!-- TODO: Move these profiles to the parent POM or use org.jenkins-ci:jenkins as the parent POM here -->
+  <profiles>
+    <profile> <!-- see JEP-305 -->
+      <id>consume-incrementals</id>
+      <repositories>
+        <repository>
+          <id>incrementals</id>
+          <url>${incrementals.url}</url>
+          <snapshots>
+            <enabled>false</enabled>
+          </snapshots>
+        </repository>
+      </repositories>
+      <pluginRepositories>
+        <pluginRepository>
+          <id>incrementals</id>
+          <url>${incrementals.url}</url>
+          <snapshots>
+            <enabled>false</enabled>
+          </snapshots>
+        </pluginRepository>
+      </pluginRepositories>
+    </profile>
+    <profile>
+      <id>might-produce-incrementals</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.codehaus.mojo</groupId>
+            <artifactId>flatten-maven-plugin</artifactId>
+            <version>1.0.1</version>
+            <configuration>
+              <updatePomFile>true</updatePomFile>
+              <outputDirectory>${project.build.directory}</outputDirectory>
+              <flattenedPomFilename>${project.artifactId}-${project.version}.pom</flattenedPomFilename>
+            </configuration>
+            <executions>
+              <execution>
+                <id>flatten</id>
+                <phase>process-resources</phase>
+                <goals>
+                  <goal>flatten</goal>
+                </goals>
+                <configuration>
+                    <flattenMode>oss</flattenMode>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+          <plugin>
+            <artifactId>maven-enforcer-plugin</artifactId>
+            <version>3.0.0-M2</version>
+            <executions>
+              <execution>
+                <id>display-info</id>
+                <configuration>
+                  <rules>
+                    <requireMavenVersion>
+                      <version>[3.5.4,)</version>
+                      <message>3.5.4+ required to use Incrementals.</message>
+                    </requireMavenVersion>
+                    <rule implementation="io.jenkins.tools.incrementals.enforcer.RequireExtensionVersion">
+                      <version>[${incrementals-enforce-minimum.version},)</version>
+                    </rule>
+                  </rules>
+                </configuration>
+              </execution>
+            </executions>
+            <dependencies>
+              <dependency>
+                <groupId>io.jenkins.tools.incrementals</groupId>
+                <artifactId>incrementals-enforcer-rules</artifactId>
+                <version>${incrementals-plugin.version}</version>
+              </dependency>
+            </dependencies>
+          </plugin>
+          <plugin>
+            <artifactId>maven-release-plugin</artifactId>
+            <configuration>
+              <completionGoals>incrementals:reincrementalify</completionGoals>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
+      <id>produce-incrementals</id>
+      <activation>
+        <property>
+          <name>set.changelist</name>
+          <value>true</value>
+        </property>
+      </activation>
+      <distributionManagement>
+        <repository>
+          <id>incrementals</id>
+          <url>${incrementals.url}</url>
+        </repository>
+      </distributionManagement>
+      <build>
+        <plugins>
+          <plugin>
+            <artifactId>maven-source-plugin</artifactId>
+            <version>3.0.1</version>
+            <executions>
+              <execution>
+                <id>attach-sources</id>
+                <goals>
+                  <goal>jar-no-fork</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+          <plugin>
+            <artifactId>maven-javadoc-plugin</artifactId>
+            <executions>
+              <execution>
+                <id>attach-javadocs</id>
+                <goals>
+                  <goal>jar</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
 </project>
diff --git a/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java b/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java
@@ -400,6 +400,12 @@ private Expression innerTransform(Expression exp) {
                     if (parameters != null) {
                         // Explicitly defined parameters, i.e., ".findAll { i -> i == 'bar' }"
                         if (parameters.length > 0) {
+                            for (Parameter p : parameters) {
+                                if (p.hasInitialExpression()) {
+                                    Expression init = p.getInitialExpression();
+                                    p.setInitialExpression(transform(init));
+                                }
+                            }
                             for (Parameter p : parameters) {
                                 declareVariable(p);
                             }

diff --git a/src/test/java/org/kohsuke/groovy/sandbox/SandboxTransformerTest.java b/src/test/java/org/kohsuke/groovy/sandbox/SandboxTransformerTest.java
@@ -327,4 +327,13 @@ private void assertIntercept(String expression, Object expectedReturnValue, Stri
                 "new B()");
     }
 
+    @Issue("SECURITY-1658")
+    @Test public void sandboxTransformsInitialExpressionsForClosureParameters() throws Exception {
+        assertIntercept(
+                "({ p = System.getProperties() -> true })()",
+                true,
+                "Script1$_run_closure1.call()",
+                "System:getProperties()");
+    }
+
 }