Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #82 from jenkinsci-cert/security-343
[SECURITY-343] Restrict API access to NodeMonitor data
  • Loading branch information
jglick committed Jan 3, 2017
2 parents fd2e081 + 98cd6a7 commit 0f92cd0
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
6 changes: 4 additions & 2 deletions core/src/main/java/hudson/model/Computer.java
Expand Up @@ -1072,8 +1072,10 @@ public String getSearchUrl() {
@Exported(inline=true)
public Map<String/*monitor name*/,Object> getMonitorData() {
Map<String,Object> r = new HashMap<String, Object>();
for (NodeMonitor monitor : NodeMonitor.getAll())
r.put(monitor.getClass().getName(),monitor.data(this));
if (hasPermission(CONNECT)) {
for (NodeMonitor monitor : NodeMonitor.getAll())
r.put(monitor.getClass().getName(), monitor.data(this));
}
return r;
}

Expand Down
23 changes: 23 additions & 0 deletions test/src/test/java/hudson/model/ComputerConfigDotXmlTest.java
Expand Up @@ -27,6 +27,8 @@
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.startsWith;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.when;
import hudson.security.ACL;
Expand All @@ -47,6 +49,7 @@
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.JenkinsRule.DummySecurityRealm;
import org.kohsuke.stapler.StaplerRequest;
Expand Down Expand Up @@ -140,6 +143,26 @@ public void configXmlPostShouldUpdateNodeConfiguration() throws Exception {
assertThat(updatedSlave.getNumExecutors(), equalTo(42));
}

@Test
@Issue("SECURITY-343")
public void emptyNodeMonitorDataWithoutConnect() throws Exception {
rule.jenkins.setAuthorizationStrategy(new GlobalMatrixAuthorizationStrategy());

assertTrue(computer.getMonitorData().isEmpty());
}

@Test
@Issue("SECURITY-343")
public void populatedNodeMonitorDataWithConnect() throws Exception {
GlobalMatrixAuthorizationStrategy auth = new GlobalMatrixAuthorizationStrategy();
rule.jenkins.setAuthorizationStrategy(auth);
auth.add(Computer.CONNECT, "user");

assertFalse(computer.getMonitorData().isEmpty());
}



private OutputStream captureOutput() throws IOException {

final ByteArrayOutputStream baos = new ByteArrayOutputStream();
Expand Down

0 comments on commit 0f92cd0

Please sign in to comment.