Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6b84024
commit c0eed94
Showing
13 changed files
with
494 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,218 @@ | ||
package htmlpublisher; | ||
|
||
import hudson.model.FreeStyleProject; | ||
import hudson.tasks.Shell; | ||
import org.htmlunit.AlertHandler; | ||
import org.htmlunit.FailingHttpStatusCodeException; | ||
import org.htmlunit.Page; | ||
import org.junit.Rule; | ||
import org.junit.Test; | ||
import org.jvnet.hudson.test.Issue; | ||
import org.jvnet.hudson.test.JenkinsRule; | ||
import org.jvnet.hudson.test.recipes.LocalData; | ||
|
||
import java.util.ArrayList; | ||
import java.util.Collections; | ||
import java.util.List; | ||
|
||
import static hudson.Functions.isWindows; | ||
import static org.hamcrest.MatcherAssert.assertThat; | ||
import static org.hamcrest.collection.IsEmptyCollection.empty; | ||
import static org.hamcrest.core.IsNot.not; | ||
import static org.junit.Assert.*; | ||
import static org.junit.Assume.assumeFalse; | ||
|
||
public class Security3302Test { | ||
|
||
@Rule | ||
public JenkinsRule j = new JenkinsRule(); | ||
|
||
@Test | ||
public void security3302sanitizeJobNameTest() throws Exception { | ||
|
||
// Skip on windows | ||
assumeFalse(isWindows()); | ||
|
||
FreeStyleProject job = j.jenkins.createProject(FreeStyleProject.class, "\"+alert(1)+\""); | ||
job.getBuildersList().add(new Shell("date > index.html")); | ||
|
||
HtmlPublisherTarget target = new HtmlPublisherTarget( | ||
"HTML Report", | ||
"", | ||
"index.html", | ||
true, | ||
false, | ||
false | ||
); | ||
|
||
target.setUseWrapperFileDirectly(true); | ||
target.setEscapeUnderscores(true); | ||
target.setReportTitles(""); | ||
target.setIncludes("**/*"); | ||
|
||
List<HtmlPublisherTarget> reportTargets = new ArrayList<>(); | ||
reportTargets.add(target); | ||
|
||
job.getPublishersList().add(new HtmlPublisher(reportTargets)); | ||
|
||
j.buildAndAssertSuccess(job); | ||
|
||
HtmlPublisherTarget.HTMLAction action = job.getAction(HtmlPublisherTarget.HTMLAction.class); | ||
assertNotNull(action); | ||
|
||
assertEquals("HTML Report", action.getHTMLTarget().getReportName()); | ||
assertEquals("HTML_20Report", action.getUrlName()); | ||
|
||
JenkinsRule.WebClient client = j.createWebClient(); | ||
|
||
// Create an alert handler to check for any alerts | ||
Alerter alerter = new Alerter(); | ||
client.setAlertHandler(alerter); | ||
client.goTo("job/\"+alert(1)+\"/HTML_20Report/"); | ||
|
||
// Check that the alerter has not been triggered | ||
client.waitForBackgroundJavaScript(2000); | ||
assertTrue(alerter.messages.isEmpty()); | ||
|
||
} | ||
|
||
@Test | ||
@LocalData | ||
@Issue("security-3302") | ||
public void oldReportJobNameTest() throws Exception { | ||
// Skip on windows | ||
assumeFalse(isWindows()); | ||
List<FreeStyleProject> items = j.jenkins.getItems(FreeStyleProject.class); | ||
assertThat(items, not(empty())); | ||
FreeStyleProject job = items.get(0); | ||
assertNotNull(job); | ||
HtmlPublisherTarget.HTMLAction action = job.getAction(HtmlPublisherTarget.HTMLAction.class); | ||
assertNotNull(action); | ||
|
||
assertEquals("HTML Report", action.getHTMLTarget().getReportName()); | ||
assertEquals("HTML_20Report", action.getUrlName()); | ||
|
||
JenkinsRule.WebClient client = j.createWebClient(); | ||
|
||
// Create an alert handler to check for any alerts | ||
Alerter alerter = new Alerter(); | ||
client.setAlertHandler(alerter); | ||
|
||
try { | ||
client.goTo("job/testJob/1/HTML_20Report/"); | ||
|
||
} catch (FailingHttpStatusCodeException e) { | ||
// Ignore the exception as needed | ||
} finally { | ||
|
||
client.waitForBackgroundJavaScript(2000); | ||
assertTrue(alerter.messages.isEmpty()); | ||
} | ||
} | ||
|
||
@Test | ||
public void security3302sanitizeOptionalNameTest() throws Exception { | ||
|
||
// Skip on windows | ||
assumeFalse(isWindows()); | ||
|
||
FreeStyleProject job = j.jenkins.createProject(FreeStyleProject.class, "testJob"); | ||
job.getBuildersList().add(new Shell("echo \"Test\" > test.txt")); | ||
|
||
HtmlPublisherTarget target = new HtmlPublisherTarget( | ||
"HTML Report", | ||
"", | ||
"test.txt", | ||
true, | ||
false, | ||
false | ||
); | ||
|
||
target.setUseWrapperFileDirectly(true); | ||
target.setEscapeUnderscores(true); | ||
target.setReportTitles("<img src onerror=alert(1)>"); | ||
target.setIncludes("**/*"); | ||
|
||
List<HtmlPublisherTarget> reportTargets = new ArrayList<>(); | ||
reportTargets.add(target); | ||
|
||
job.getPublishersList().add(new HtmlPublisher(reportTargets)); | ||
|
||
j.buildAndAssertSuccess(job); | ||
|
||
HtmlPublisherTarget.HTMLAction action = job.getAction(HtmlPublisherTarget.HTMLAction.class); | ||
assertNotNull(action); | ||
|
||
assertEquals("HTML Report", action.getHTMLTarget().getReportName()); | ||
assertEquals("HTML_20Report", action.getUrlName()); | ||
|
||
JenkinsRule.WebClient client = j.createWebClient(); | ||
|
||
// Create an alert handler to check for any alerts | ||
Alerter alerter = new Alerter(); | ||
client.setAlertHandler(alerter); | ||
client.goTo("job/testJob/HTML_20Report/"); | ||
|
||
// Check that the alerter has not been triggered | ||
client.waitForBackgroundJavaScript(2000); | ||
assertTrue(alerter.messages.isEmpty()); | ||
|
||
} | ||
|
||
@Test | ||
public void security3302sanitizeExistingReportTitleTest() throws Exception { | ||
|
||
// Skip on windows | ||
assumeFalse(isWindows()); | ||
|
||
FreeStyleProject job = j.jenkins.createProject(FreeStyleProject.class, "testJob"); | ||
job.getBuildersList().add(new Shell("echo \"Test\" > '\"><img src onerror=alert(1)>'")); | ||
|
||
HtmlPublisherTarget target = new HtmlPublisherTarget( | ||
"HTML Report", | ||
"", | ||
"", | ||
true, | ||
false, | ||
false | ||
); | ||
|
||
target.setUseWrapperFileDirectly(true); | ||
target.setEscapeUnderscores(true); | ||
target.setReportTitles("\"><img src onerror=alert(1)>"); | ||
target.setIncludes("**/*"); | ||
|
||
List<HtmlPublisherTarget> reportTargets = new ArrayList<>(); | ||
reportTargets.add(target); | ||
|
||
job.getPublishersList().add(new HtmlPublisher(reportTargets)); | ||
|
||
j.buildAndAssertSuccess(job); | ||
|
||
HtmlPublisherTarget.HTMLAction action = job.getAction(HtmlPublisherTarget.HTMLAction.class); | ||
assertNotNull(action); | ||
|
||
assertEquals("HTML Report", action.getHTMLTarget().getReportName()); | ||
assertEquals("HTML_20Report", action.getUrlName()); | ||
|
||
JenkinsRule.WebClient client = j.createWebClient(); | ||
|
||
Alerter alerter = new Alerter(); | ||
client.setAlertHandler(alerter); | ||
client.goTo("job/testJob/HTML_20Report/"); | ||
|
||
// Check that the alerter has not been triggered | ||
client.waitForBackgroundJavaScript(2000); | ||
assertTrue(alerter.messages.isEmpty()); | ||
|
||
} | ||
|
||
// This class is used to check for any alerts that are triggered on a page | ||
static class Alerter implements AlertHandler { | ||
List<String> messages = Collections.synchronizedList(new ArrayList<>()); | ||
@Override | ||
public void handleAlert(final Page page, final String message) { | ||
messages.add(message); | ||
} | ||
} | ||
} |
44 changes: 44 additions & 0 deletions
44
...urces/htmlpublisher/Security3302Test/oldReportJobNameTest/jobs/testJob/builds/1/build.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
<?xml version='1.1' encoding='UTF-8'?> | ||
<build> | ||
<actions> | ||
<hudson.model.CauseAction> | ||
<causeBag class="linked-hash-map"> | ||
<entry> | ||
<hudson.model.Cause_-UserIdCause/> | ||
<int>1</int> | ||
</entry> | ||
</causeBag> | ||
</hudson.model.CauseAction> | ||
<htmlpublisher.HtmlPublisherTarget_-HTMLBuildAction plugin="htmlpublisher@1.33-SNAPSHOT"> | ||
<actualHtmlPublisherTarget> | ||
<reportName>HTML Report</reportName> | ||
<reportDir></reportDir> | ||
<reportFiles>index.html</reportFiles> | ||
<alwaysLinkToLastBuild>false</alwaysLinkToLastBuild> | ||
<reportTitles></reportTitles> | ||
<keepAll>true</keepAll> | ||
<allowMissing>false</allowMissing> | ||
<includes>**/*</includes> | ||
<escapeUnderscores>true</escapeUnderscores> | ||
<useWrapperFileDirectly>true</useWrapperFileDirectly> | ||
</actualHtmlPublisherTarget> | ||
<outer-class reference="../actualHtmlPublisherTarget"/> | ||
<wrapperChecksum>bb013837dd6fed1ea7ef00d584484d62e90b64a1</wrapperChecksum> | ||
<outer-class defined-in="htmlpublisher.HtmlPublisherTarget$HTMLBuildAction" reference="../actualHtmlPublisherTarget"/> | ||
</htmlpublisher.HtmlPublisherTarget_-HTMLBuildAction> | ||
</actions> | ||
<queueId>1</queueId> | ||
<timestamp>1702036826488</timestamp> | ||
<startTime>1702036826496</startTime> | ||
<result>SUCCESS</result> | ||
<duration>99</duration> | ||
<charset>UTF-8</charset> | ||
<keepLog>false</keepLog> | ||
<builtOn></builtOn> | ||
<workspace>workspace/"+alert(1)+"</workspace> | ||
<hudsonVersion>2.387.3</hudsonVersion> | ||
<scm class="hudson.scm.NullChangeLogParser"/> | ||
<culprits class="java.util.Collections$UnmodifiableSet"> | ||
<c class="sorted-set"/> | ||
</culprits> | ||
</build> |
1 change: 1 addition & 0 deletions
1
...s/htmlpublisher/Security3302Test/oldReportJobNameTest/jobs/testJob/builds/1/changelog.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
<log/> |
Oops, something went wrong.