Skip to content
Permalink
Browse files
[JENKINS-42902] Add tests to reproduce SECURITY-353
  • Loading branch information
ikedam committed May 6, 2017
1 parent 3b978da commit e61298ef58456abcfa2e09bf19298757d691c549
@@ -40,6 +40,7 @@
import hudson.model.queue.QueueTaskFuture;
import hudson.model.Result;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
@@ -616,4 +617,46 @@ public void testBuildWithParameters() throws Exception {
assertNull(b.getExactRun(new Combination(axes, "value2")));
assertNotNull(b.getExactRun(new Combination(axes, "value3")));
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}
@@ -25,6 +25,7 @@
package hudson.plugins.matrix_configuration_parameter;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;

import java.util.Arrays;
@@ -41,9 +42,11 @@
import hudson.model.ParametersDefinitionProperty;
import jenkins.model.Jenkins;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule.WebClient;

import com.gargoylesoftware.htmlunit.html.HtmlPage;
@@ -174,4 +177,50 @@ public void testReadResolveOfDefaultMatrixCombinationsParameterValue() throws Ex
v.getCombinationFilter()
);
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "parameters");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "parameters");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}
@@ -41,9 +41,11 @@
import hudson.model.Result;
import hudson.model.StringParameterValue;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule.WebClient;

import com.gargoylesoftware.htmlunit.html.HtmlForm;
@@ -217,4 +219,50 @@ public void testShortcut() throws Exception {
j.assertCombinationChecked(page, true, axes, "value2");
j.assertCombinationChecked(page, false, axes, "value3");
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "rebuild");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "rebuild");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}

0 comments on commit e61298e

Please sign in to comment.