[SECURITY-2455]

jenkinsci · Nov 2, 2021 · 104c751 · 104c751
1 parent eae3384
commit 104c751
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 19 deletions.
diff --git a/core/src/main/java/hudson/FilePath.java b/core/src/main/java/hudson/FilePath.java
@@ -215,11 +215,6 @@ public final class FilePath implements SerializableOnlyOverRemoting {
      */
     private static final int MAX_REDIRECTS = 20;
 
-    /**
-     * Escape hatch for some additional protections against sending callables intended to be locally used only
-     */
-    private static /* non-final for Groovy */ boolean REJECT_LOCAL_CALLABLE_DESERIALIZATION = SystemProperties.getBoolean(FilePath.class.getName() + ".rejectLocalCallableDeserialization", true);
-
     /**
      * When this {@link FilePath} represents the remote path,
      * this field is always non-null on the controller (the field represents
@@ -601,13 +596,6 @@ public Void invoke(File dir, VirtualChannel channel) throws IOException, Interru
             return null;
         }
         private static final long serialVersionUID = 1L;
-
-        protected Object readResolve() {
-            if (REJECT_LOCAL_CALLABLE_DESERIALIZATION) {
-                throw new IllegalStateException("This callable is not intended to be sent through a channel");
-            }
-            return this;
-        }
     }
 
     /**
@@ -660,13 +648,6 @@ public Void invoke(File dir, VirtualChannel channel) throws IOException, Interru
             return null;
         }
         private static final long serialVersionUID = 1L;
-
-        protected Object readResolve() {
-            if (REJECT_LOCAL_CALLABLE_DESERIALIZATION) {
-                throw new IllegalStateException("This callable is not intended to be sent through a channel");
-            }
-            return this;
-        }
     }
 
     /**

diff --git a/test/src/test/java/jenkins/security/Security2455Test.java b/test/src/test/java/jenkins/security/Security2455Test.java
@@ -21,6 +21,7 @@
 import hudson.model.Node;
 import hudson.model.TaskListener;
 import hudson.remoting.VirtualChannel;
+import hudson.slaves.DumbSlave;
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
@@ -809,6 +810,22 @@ public Object call() throws Exception {
 
     // --------
 
+    // Misc tests
+
+    @LocalData
+    @Test
+    public void testRemoteLocalUnzip() throws Exception {
+        final DumbSlave onlineSlave = j.createOnlineSlave();
+        final File zipFile = new File(j.jenkins.getRootDir(), "file.zip");
+        assertTrue(zipFile.isFile());
+        final FilePath agentRootPath = onlineSlave.getRootPath();
+        final FilePath agentZipPath = agentRootPath.child("file.zip");
+        new FilePath(zipFile).copyTo(agentZipPath);
+        agentZipPath.unzip(agentRootPath);
+    }
+
+    // --------
+
     // Utility functions
 
     protected static FilePath toFilePathOnController(File file) {

diff --git a/test/src/test/resources/jenkins/security/Security2455Test/testRemoteLocalUnzip/file.zip b/test/src/test/resources/jenkins/security/Security2455Test/testRemoteLocalUnzip/file.zip