Permalink
Browse files

[SECURITY-595]

Co-Authored-By: Wadeck Follonier <wadeck.follonier@gmail.com>
  • Loading branch information...
daniel-beck and Wadeck committed Nov 20, 2018
1 parent 7d06fa1 commit 28e8eba822a0df9dcd64d20eb63d8ab5f6ee2980
@@ -0,0 +1,34 @@
/*
* The MIT License
*
* Copyright (c) 2018, CloudBees, Inc.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.kohsuke.stapler;

import java.util.List;

/**
* Registered inside {@link WebApp#setDispatchersFilter(DispatchersFilter)} and then used after the creation of
* the dispatchers for a {@link MetaClass} in order to add / remove / edit the dispatchers that are created.
*/
public interface DispatchersFilter {
void applyOn(MetaClass metaClass, FunctionList methods, List<Dispatcher> dispatcherList);
}
@@ -26,6 +26,11 @@ public String getDisplayName() {
return next.getDisplayName();
}

@Override
public boolean isStatic() {
return next.isStatic();
}

@Override
public String getQualifiedName() {
return next.getQualifiedName();
@@ -40,6 +45,16 @@ public Class getReturnType() {
return next.getReturnType();
}

@Override
public Class[] getCheckedExceptionTypes() {
return next.getCheckedExceptionTypes();
}

@Override
public Class getDeclaringClass() {
return next.getDeclaringClass();
}

// can't really call next.contextualize()
@Override
public Function contextualize(Object usage) {
@@ -51,6 +66,11 @@ public Function contextualize(Object usage) {
return next.getGenericParameterTypes();
}

@Override
public String getSignature() {
return next.getSignature();
}

public Annotation[][] getParameterAnnotations() {
return next.getParameterAnnotations();
}
@@ -26,6 +26,7 @@
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.interceptor.Interceptor;
import org.kohsuke.stapler.interceptor.InterceptorAnnotation;

@@ -37,6 +38,7 @@
import java.lang.invoke.MethodHandle;
import java.lang.invoke.WrongMethodTypeException;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Executable;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
@@ -45,6 +47,7 @@
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;

import static org.kohsuke.stapler.ReflectionUtils.*;

@@ -68,6 +71,11 @@
*/
public abstract String getDisplayName();

/**
* Gets the signature for this for use in lists
*/
public abstract String getSignature();

/**
* Gets "className.methodName"
*/
@@ -94,7 +102,27 @@
* Return type of the method.
*/
public abstract Class getReturnType();

/**
* Gets the type of checked exceptions.
* <p>
* Take care that {@link RuntimeException} can be checked but it's not mandatory
*/
public abstract Class[] getCheckedExceptionTypes();

/**
* Returns the {@code Class} object representing the class or interface
* that declares the executable represented by this object.
* @see java.lang.reflect.Member#getDeclaringClass()
*/
public abstract Class getDeclaringClass();

/**
* Returns true if and only if the function is static.
* @return
*/
public abstract boolean isStatic();

/**
* Caller uses this method to tell {@link Function} about how it is being used.
* By default, this methods ignores the given context by returning {@code this}.
@@ -298,6 +326,21 @@ public final String getDisplayName() {
return m.toGenericString();
}

@Override
public String getSignature() {
String prefix = isStatic() ? "staticMethod" : "method";
String value = StringUtils.join(Arrays.asList(prefix, m.getDeclaringClass().getName(), getName()), ' ');
if (getParameterTypes().length > 0) {
value += " " + StringUtils.join(Arrays.stream(getParameterTypes()).map(Class::getName).collect(Collectors.toList()), ' ');
}
return value;
}

@Override
public boolean isStatic() {
return Modifier.isStatic(m.getModifiers());
}

@Override
public String getQualifiedName() {
return m.getDeclaringClass().getName()+'.'+getName();
@@ -322,6 +365,16 @@ public Class getReturnType() {
return m.getReturnType();
}

@Override
public Class[] getCheckedExceptionTypes() {
return m.getExceptionTypes();
}

@Override
public Class getDeclaringClass() {
return m.getDeclaringClass();
}

protected MethodHandle handle() {
if (handle==null) {
handle = MethodHandleFactory.get(m);
@@ -352,7 +405,7 @@ public Object invoke(StaplerRequest req, StaplerResponse rsp, Object o, Object..
/**
* Normal instance methods.
*/
static class InstanceFunction extends MethodFunction {
public static class InstanceFunction extends MethodFunction {
public InstanceFunction(Method m) {
super(m);
}
@@ -23,8 +23,21 @@

package org.kohsuke.stapler;

import org.kohsuke.stapler.interceptor.RequirePOST;
import org.kohsuke.stapler.interceptor.RespondSuccess;
import org.kohsuke.stapler.json.JsonBody;
import org.kohsuke.stapler.json.JsonResponse;
import org.kohsuke.stapler.json.SubmittedForm;
import org.kohsuke.stapler.verb.DELETE;
import org.kohsuke.stapler.verb.GET;
import org.kohsuke.stapler.verb.POST;
import org.kohsuke.stapler.verb.PUT;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.annotation.Annotation;
import java.util.*;
import java.util.regex.Pattern;

/**
* Immutable list of {@link Function}s.
@@ -42,7 +55,7 @@ public FunctionList(Collection<Function> functions) {
this.functions = functions.toArray(new Function[0]);
}

private FunctionList filter(Filter f) {
/* internal */ FunctionList filter(Filter f) {
List<Function> r = new ArrayList<Function>();
for (Function m : functions)
if (f.keep(m))
@@ -79,6 +92,13 @@ public FunctionList union(FunctionList that) {

public interface Filter {
boolean keep(Function m);

Filter ALWAYS_OK = new Filter(){
@Override
public boolean keep(Function m) {
return true;
}
};
}

/**
@@ -129,7 +149,7 @@ public boolean keep(Function m) {
* Returns {@link Function}s that are either explicitly {@link WebMethod} or
* implicitly so (by having its name start with 'do')
*/
public FunctionList webMethods() {
public FunctionList webMethodsLegacy() {
return filter(new Filter() {
public boolean keep(Function m) {
return m.getName().startsWith("do") || m.getAnnotation(WebMethod.class)!=null;
Oops, something went wrong.

0 comments on commit 28e8eba

Please sign in to comment.