Skip to content

Commit

Permalink
[SECURITY-2090]
Browse files Browse the repository at this point in the history
  • Loading branch information
yaroslavafenkin committed Dec 17, 2021
1 parent f0a6645 commit 3a4d441
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import io.jenkins.plugins.analysis.core.charts.JenkinsBuild;
import io.jenkins.plugins.analysis.core.util.IssuesStatistics;
import io.jenkins.plugins.analysis.core.util.IssuesStatisticsBuilder;
import io.jenkins.plugins.analysis.core.util.ModelValidation;
import io.jenkins.plugins.analysis.core.util.QualityGateEvaluator;
import io.jenkins.plugins.analysis.core.util.QualityGateStatus;
import io.jenkins.plugins.analysis.core.util.StaticAnalysisRun;
Expand Down Expand Up @@ -223,6 +224,7 @@ protected AnalysisResult(final Run<?, ?> owner, final String id, final DeltaRepo
this.owner = owner;

Report allIssues = report.getAllIssues();
new ModelValidation().ensureValidId(id);
this.id = id;

totals = report.getStatistics();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ protected Object readResolve() {
*/
@DataBoundSetter
public void setId(final String id) {
new ModelValidation().ensureValidId(id);

this.id = id;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,24 @@

import java.io.IOException;
import java.nio.file.Path;
import java.util.Collections;

import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.jvnet.hudson.test.Issue;

import edu.hm.hafner.util.ResourceTest;

import hudson.XmlFile;
import hudson.model.Run;
import hudson.util.XStream2;

import io.jenkins.plugins.analysis.core.util.QualityGateStatus;
import io.jenkins.plugins.forensics.blame.Blames;
import io.jenkins.plugins.forensics.miner.RepositoryStatistics;

import static io.jenkins.plugins.analysis.core.assertions.Assertions.*;
import static org.mockito.Mockito.*;

/**
* Tests the class {@link AnalysisResult}.
Expand All @@ -29,4 +38,14 @@ void shouldRestoreResultBeforeIssuesStatisticsField() throws IOException {
assertThat(restored).hasTotalSize(14).hasNewSize(9).hasFixedSize(0);
assertThat(restored.getTotals()).hasTotalSize(14).hasNewSize(9).hasFixedSize(0);
}

@Test
@Issue("SECURITY-2090")
void constructorShouldThrowExceptionIfIdHasInvalidPattern() {
Assertions.assertThatIllegalArgumentException()
.isThrownBy(
() -> new AnalysisResult(mock(Run.class), "../../invalid-id", mock(DeltaReport.class),
new Blames(), new RepositoryStatistics(),
QualityGateStatus.PASSED, Collections.emptyMap()));
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package io.jenkins.plugins.analysis.core.model;

import java.util.Collections;

import org.assertj.core.api.Assertions;
import org.junit.Test;
import org.jvnet.hudson.test.Issue;

import io.jenkins.plugins.analysis.core.testutil.IntegrationTestWithJenkinsPerSuite;
import io.jenkins.plugins.analysis.warnings.groovy.GroovyParser;
import io.jenkins.plugins.analysis.warnings.groovy.GroovyScript;
import io.jenkins.plugins.analysis.warnings.groovy.ParserConfiguration;

public class ToolITest extends IntegrationTestWithJenkinsPerSuite {

@Test
@Issue("SECURITY-2090")
public void setIdShouldThrowExceptionIfCustomIdHasInvalidPattern() {
ParserConfiguration configuration = ParserConfiguration.getInstance();
configuration.setParsers(Collections.singletonList(new GroovyParser("groovy", "", "", "", "")));
Tool groovyScript = new GroovyScript("groovy");

Assertions.assertThatIllegalArgumentException().isThrownBy(() -> groovyScript.setId("../../invalid-id"));
}
}

0 comments on commit 3a4d441

Please sign in to comment.