Skip to content

Commit

Permalink
[SECURITY-1292] Secure the script check in SecureGroovyScript
Browse files Browse the repository at this point in the history
  • Loading branch information
abayer committed Jan 17, 2019
1 parent f77a666 commit 3511927
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.interceptor.RequirePOST;

/**
* Convenience structure encapsulating a Groovy script that may either be approved whole or sandboxed.
Expand Down Expand Up @@ -407,9 +408,11 @@ private final class CleanClassCollector extends ClassCollector {
return ""; // not intended to be displayed on its own
}

@RequirePOST
public FormValidation doCheckScript(@QueryParameter String value, @QueryParameter boolean sandbox) {
try {
new GroovyShell(Jenkins.getInstance().getPluginManager().uberClassLoader).parse(value);
new GroovyShell(Jenkins.getInstance().getPluginManager().uberClassLoader,
GroovySandbox.createSecureCompilerConfiguration()).parse(value);
} catch (CompilationFailedException x) {
return FormValidation.error(x.getLocalizedMessage());
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@
import org.apache.tools.ant.taskdefs.Expand;
import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
import org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException;

import static org.hamcrest.Matchers.containsString;
import static org.junit.Assert.*;

import org.jenkinsci.plugins.scriptsecurity.scripts.languages.GroovyLanguage;
Expand Down Expand Up @@ -849,4 +851,27 @@ public Void call() throws Exception {
});
}

@Issue("SECURITY-1292")
@Test
public void blockASTTest() throws Exception {
SecureGroovyScript.DescriptorImpl d = r.jenkins.getDescriptorByType(SecureGroovyScript.DescriptorImpl.class);
assertThat(d.doCheckScript("import groovy.transform.*\n" +
"import jenkins.model.Jenkins\n" +
"import hudson.model.FreeStyleProject\n" +
"@ASTTest(value={ assert Jenkins.getInstance().createProject(FreeStyleProject.class, \"should-not-exist\") })\n" +
"@Field int x\n" +
"echo 'hello'\n", false).toString(), containsString("Annotation ASTTest cannot be used in the sandbox"));

assertNull(r.jenkins.getItem("should-not-exist"));
}

@Issue("SECURITY-1292")
@Test
public void blockGrab() throws Exception {
SecureGroovyScript.DescriptorImpl d = r.jenkins.getDescriptorByType(SecureGroovyScript.DescriptorImpl.class);
assertThat(d.doCheckScript("@Grab(group='foo', module='bar', version='1.0')\ndef foo\n", false).toString(),
containsString("Annotation Grab cannot be used in the sandbox"));
}


}

0 comments on commit 3511927

Please sign in to comment.