[SECURITY-1186] Integration tests.

jenkinsci · Oct 18, 2018 · 16c862a · 16c862a
1 parent 7bc8d06
commit 16c862a
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 1 deletion.
diff --git a/pom.xml b/pom.xml
@@ -50,7 +50,7 @@
     <dependency>
       <groupId>org.kohsuke</groupId>
       <artifactId>groovy-sandbox</artifactId>
-      <version>1.19</version>
+      <version>1.20</version>
       <exclusions>
         <exclusion>
           <groupId>org.codehaus.groovy</groupId>

diff --git a/...test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java b/...test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
@@ -56,6 +56,7 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.codehaus.groovy.control.CompilerConfiguration;
+import org.codehaus.groovy.control.MultipleCompilationErrorsException;
 import org.codehaus.groovy.runtime.GStringImpl;
 import org.codehaus.groovy.runtime.InvokerHelper;
 import static org.hamcrest.Matchers.*;
@@ -1108,4 +1109,18 @@ public void dateTimeApi() throws Exception {
         assertEvaluate(new GenericWhitelist(), "2007-12-03T07:15:30", "java.time.LocalDateTime.parse('2007-12-03T10:15:30').minusHours(3).format(java.time.format.DateTimeFormatter.ISO_LOCAL_DATE_TIME)");
     }
 
+    @Issue("SECURITY-1186")
+    @Test
+    public void finalizer() throws Exception {
+        try {
+            evaluate(new GenericWhitelist(), "class Test { public void finalize() { } }; null");
+            fail("Finalizers should be rejected");
+        } catch (MultipleCompilationErrorsException e) {
+            assertThat(e.getErrorCollector().getErrorCount(), equalTo(1));
+            Exception innerE = e.getErrorCollector().getException(0);
+            assertThat(innerE, instanceOf(SecurityException.class));
+            assertThat(innerE.getMessage(), containsString("Object.finalize()"));
+        }
+    }
+
 }
diff --git a/...test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java b/...test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
@@ -38,6 +38,8 @@
 import hudson.model.FreeStyleBuild;
 import hudson.model.Item;
 import hudson.model.Result;
+import hudson.model.User;
+import hudson.security.ACL;
 import hudson.security.Permission;
 import hudson.tasks.BuildStepDescriptor;
 import hudson.tasks.Publisher;
@@ -48,6 +50,7 @@
 import java.util.List;
 import java.util.Set;
 import jenkins.model.Jenkins;
+import jenkins.security.NotReallyRoleSensitiveCallable;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.tools.ant.DirectoryScanner;
@@ -803,4 +806,47 @@ public void testSandboxClassResolution() throws Exception {
         }
     }
 
+    @Issue("SECURITY-1186")
+    @Test public void testFinalizersForbiddenInSandbox() throws Exception {
+        FreeStyleProject p = r.createFreeStyleProject();
+        p.getPublishersList().add(new TestGroovyRecorder(
+                new SecureGroovyScript("class Test { public void finalize() { } }; null", true, null)));
+        FreeStyleBuild b = r.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0));
+        r.assertLogContains("Object.finalize()", b);
+    }
+
+    @Issue("SECURITY-1186")
+    @Test public void testFinalizersAllowedWithWholeScriptApproval() throws Exception {
+        r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
+        MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy();
+        mockStrategy.grant(Jenkins.READ).everywhere().to("dev");
+        for (Permission p : Item.PERMISSIONS.getPermissions()) {
+            mockStrategy.grant(p).everywhere().to("dev");
+        }
+        r.jenkins.setAuthorizationStrategy(mockStrategy);
+
+        final FreeStyleProject p = r.createFreeStyleProject();
+        p.getPublishersList().add(new TestGroovyRecorder(
+                new SecureGroovyScript("class Test { public void finalize() { } }; null", false, null)));
+
+        ACL.impersonate(User.getById("dev", true).impersonate(), new NotReallyRoleSensitiveCallable<Void, Exception>() {
+            public Void call() throws Exception {
+                FreeStyleBuild b = r.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0));
+                r.assertLogContains("UnapprovedUsageException", b);
+                return null;
+            }
+        });
+
+        Set<ScriptApproval.PendingScript> ps = ScriptApproval.get().getPendingScripts();
+        assertEquals(1, ps.size());
+        ScriptApproval.get().approveScript(ps.iterator().next().getHash());
+
+        ACL.impersonate(User.getById("dev", true).impersonate(), new NotReallyRoleSensitiveCallable<Void, Exception>() {
+            public Void call() throws Exception {
+                r.assertBuildStatus(Result.SUCCESS, p.scheduleBuild2(0));
+                return null;
+            }
+        });
+    }
+
 }