From 104c751d907919dd53f5090f84d53c671a66457b Mon Sep 17 00:00:00 2001 From: Daniel Beck Date: Tue, 2 Nov 2021 03:46:28 +0000 Subject: [PATCH] [SECURITY-2455] --- core/src/main/java/hudson/FilePath.java | 19 ------------------ .../jenkins/security/Security2455Test.java | 17 ++++++++++++++++ .../testRemoteLocalUnzip/file.zip | Bin 0 -> 478 bytes 3 files changed, 17 insertions(+), 19 deletions(-) create mode 100644 test/src/test/resources/jenkins/security/Security2455Test/testRemoteLocalUnzip/file.zip diff --git a/core/src/main/java/hudson/FilePath.java b/core/src/main/java/hudson/FilePath.java index 3245ae63c049..9ecbe010751b 100644 --- a/core/src/main/java/hudson/FilePath.java +++ b/core/src/main/java/hudson/FilePath.java @@ -215,11 +215,6 @@ public final class FilePath implements SerializableOnlyOverRemoting { */ private static final int MAX_REDIRECTS = 20; - /** - * Escape hatch for some additional protections against sending callables intended to be locally used only - */ - private static /* non-final for Groovy */ boolean REJECT_LOCAL_CALLABLE_DESERIALIZATION = SystemProperties.getBoolean(FilePath.class.getName() + ".rejectLocalCallableDeserialization", true); - /** * When this {@link FilePath} represents the remote path, * this field is always non-null on the controller (the field represents @@ -601,13 +596,6 @@ public Void invoke(File dir, VirtualChannel channel) throws IOException, Interru return null; } private static final long serialVersionUID = 1L; - - protected Object readResolve() { - if (REJECT_LOCAL_CALLABLE_DESERIALIZATION) { - throw new IllegalStateException("This callable is not intended to be sent through a channel"); - } - return this; - } } /** @@ -660,13 +648,6 @@ public Void invoke(File dir, VirtualChannel channel) throws IOException, Interru return null; } private static final long serialVersionUID = 1L; - - protected Object readResolve() { - if (REJECT_LOCAL_CALLABLE_DESERIALIZATION) { - throw new IllegalStateException("This callable is not intended to be sent through a channel"); - } - return this; - } } /** diff --git a/test/src/test/java/jenkins/security/Security2455Test.java b/test/src/test/java/jenkins/security/Security2455Test.java index e190b033bffc..71613ceb60d3 100644 --- a/test/src/test/java/jenkins/security/Security2455Test.java +++ b/test/src/test/java/jenkins/security/Security2455Test.java @@ -21,6 +21,7 @@ import hudson.model.Node; import hudson.model.TaskListener; import hudson.remoting.VirtualChannel; +import hudson.slaves.DumbSlave; import java.io.File; import java.io.FileReader; import java.io.IOException; @@ -809,6 +810,22 @@ public Object call() throws Exception { // -------- + // Misc tests + + @LocalData + @Test + public void testRemoteLocalUnzip() throws Exception { + final DumbSlave onlineSlave = j.createOnlineSlave(); + final File zipFile = new File(j.jenkins.getRootDir(), "file.zip"); + assertTrue(zipFile.isFile()); + final FilePath agentRootPath = onlineSlave.getRootPath(); + final FilePath agentZipPath = agentRootPath.child("file.zip"); + new FilePath(zipFile).copyTo(agentZipPath); + agentZipPath.unzip(agentRootPath); + } + + // -------- + // Utility functions protected static FilePath toFilePathOnController(File file) { diff --git a/test/src/test/resources/jenkins/security/Security2455Test/testRemoteLocalUnzip/file.zip b/test/src/test/resources/jenkins/security/Security2455Test/testRemoteLocalUnzip/file.zip new file mode 100644 index 0000000000000000000000000000000000000000..619f162bbc42eb5a88ecaa601d8a913b3d5dee14 GIT binary patch literal 478 zcmWIWW@Zs#-~hr;*1o|ENPwL|fgvqFU$3O1Bs7GVf!#7cEfIt>fVi}Rn}Lz#D|A62_JlY z!aneabp$jpO^{$#7m#Kwloe?HAuZ9t)TgNE7@+2HoJm2-z;v&3=dXI}Xq@o8 zdfHP*PgB>=*V9wSGn9{mP1EO;zcAkOZIGTXnzIB(NM-0$)AQuLBGct)VqXr7h xU!XvNfhCO~7B&xH2_keuku3xT2@EW03