Skip to content

Commit

Permalink
[SECURITY-1295] Secure the script check in GroovyParser.
Browse files Browse the repository at this point in the history
  • Loading branch information
abayer committed Jan 24, 2019
1 parent 2b87392 commit c3ca6a0
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 6 deletions.
10 changes: 5 additions & 5 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -127,11 +127,6 @@
<artifactId>scm-api</artifactId>
<version>2.2.0</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>script-security</artifactId>
<version>1.36</version>
</dependency>
<dependency>
<groupId>commons-net</groupId>
<artifactId>commons-net</artifactId>
Expand Down Expand Up @@ -218,6 +213,11 @@
</dependency>

<!-- Required Jenkins Plug-in Dependencies -->
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>script-security</artifactId>
<version>1.50</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins.workflow</groupId>
<artifactId>workflow-step-api</artifactId>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
import groovy.lang.GroovyShell;
import groovy.lang.Script;

import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox;

/**
* Creates a warning based on a regular expression match and groovy script.
*
Expand Down Expand Up @@ -60,7 +62,8 @@ private boolean compileScriptIfNotYetDone() {
*/
public Script compile() throws CompilationFailedException {
Binding binding = new Binding();
GroovyShell shell = new GroovyShell(GroovyExpressionMatcher.class.getClassLoader(), binding);
GroovyShell shell = new GroovyShell(GroovySandbox.createSecureClassLoader(GroovyExpressionMatcher.class.getClassLoader()),
binding, GroovySandbox.createSecureCompilerConfiguration());
return shell.parse(script);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.interceptor.RequirePOST;
import hudson.Extension;
import hudson.model.AbstractDescribableImpl;
import hudson.model.Descriptor;
Expand Down Expand Up @@ -294,6 +295,7 @@ public FormValidation doCheckRegexp(@QueryParameter(required = true) final Strin
*
* @return the validation result
*/
@RequirePOST
public FormValidation doCheckScript(@QueryParameter(required = true) final String script) {
if (isNotAllowedToRunScripts()) {
return NO_RUN_SCRIPT_PERMISSION_WARNING;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,19 @@

import org.apache.commons.lang3.StringUtils;
import org.junit.jupiter.api.Test;
import org.jvnet.hudson.test.Issue;

import edu.hm.hafner.analysis.IssueParser;
import edu.hm.hafner.analysis.Report;
import edu.hm.hafner.util.SerializableTest;

import io.jenkins.plugins.analysis.core.util.JenkinsFacade;
import io.jenkins.plugins.analysis.core.util.ConsoleLogReaderFactory;
import static io.jenkins.plugins.analysis.core.testutil.Assertions.*;
import io.jenkins.plugins.analysis.warnings.groovy.GroovyParser.DescriptorImpl;

import static org.hamcrest.Matchers.*;
import static org.junit.Assert.*;
import static org.mockito.Mockito.*;

import hudson.model.Run;
Expand Down Expand Up @@ -147,6 +152,26 @@ void shouldAcceptMultiLineRegularExpression() {
toString("multiline.groovy"))).isOk();
}

@Issue("SECURITY-1295")
@Test
public void blockASTTest() throws Exception {
DescriptorImpl d = createDescriptor();
assertThat(d.doCheckScript("import groovy.transform.*\n" +
"import jenkins.model.Jenkins\n" +
"import hudson.model.FreeStyleProject\n" +
"@ASTTest(value={ assert Jenkins.getInstance().createProject(FreeStyleProject.class, \"should-not-exist\") })\n" +
"@Field int x\n" +
"echo 'hello'\n").toString(), containsString("Annotation ASTTest cannot be used in the sandbox"));
}

@Issue("SECURITY-1295")
@Test
public void blockGrab() throws Exception {
DescriptorImpl d = createDescriptor();
assertThat(d.doCheckScript("@Grab(group='foo', module='bar', version='1.0')\ndef foo\n").toString(),
containsString("Annotation Grab cannot be used in the sandbox"));
}

private DescriptorImpl createDescriptor() {
return createDescriptor(createJenkinsFacade());
}
Expand Down

0 comments on commit c3ca6a0

Please sign in to comment.