hudson.model.UnprotectedRootAction Java Examples
The following examples show how to use
hudson.model.UnprotectedRootAction.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: StepsITest.java From warnings-ng-plugin with MIT License | 5 votes |
|
/**
* Verifies that parsers based on Digester are not vulnerable to an XXE attack. Previous versions allowed any user
* with an ability to configure a job to read any file from the Jenkins Master (even on hardened systems where
* execution on master is disabled).
*
* @see <a href="https://jenkins.io/security/advisory/2018-01-22/">Jenkins Security Advisory 2018-01-22</a>
*/
@Test
public void showPreventXxeSecurity656() {
String oobInUserContentLink = getUrl("userContent/oob.xml");
String triggerLink = getUrl("triggerMe");
String xxeFileContent = toString("testXxe-xxe.xml");
String oobFileContent = toString("testXxe-oob.xml");
write(oobFileContent.replace("$TARGET_URL$", triggerLink));
WorkflowJob job = createPipeline();
String adaptedXxeFileContent = xxeFileContent.replace("$OOB_LINK$", oobInUserContentLink);
createFileInWorkspace(job, "xxe.xml", adaptedXxeFileContent);
List<ReportScanningTool> tools = Lists.mutable.of(new CheckStyle(), new Pmd(), new FindBugs(), new JcReport());
for (ReportScanningTool tool : tools) {
job.setDefinition(asStage(
String.format("def issues = scanForIssues tool: %s(pattern:'xxe.xml')",
tool.getSymbolName()),
"publishIssues issues:[issues]"));
scheduleSuccessfulBuild(job);
YouCannotTriggerMe urlHandler = getJenkins().jenkins.getExtensionList(UnprotectedRootAction.class)
.get(YouCannotTriggerMe.class);
assertThat(urlHandler).isNotNull();
assertThat(urlHandler.triggerCount)
.as("XXE detected for parser %s: URL has been triggered!", tool)
.isEqualTo(0);
}
}
Example #2
| Source File: JUnitResultArchiverTest.java From junit-plugin with MIT License | 5 votes |
|
@Test
@Issue("SECURITY-521")
public void testXxe() throws Exception {
String oobInUserContentLink = j.getURL() + "userContent/oob.xml";
String triggerLink = j.getURL() + "triggerMe";
String xxeFile = this.getClass().getResource("testXxe-xxe.xml").getFile();
String xxeFileContent = FileUtils.readFileToString(new File(xxeFile), StandardCharsets.UTF_8);
String adaptedXxeFileContent = xxeFileContent.replace("$OOB_LINK$", oobInUserContentLink);
String oobFile = this.getClass().getResource("testXxe-oob.xml").getFile();
String oobFileContent = FileUtils.readFileToString(new File(oobFile), StandardCharsets.UTF_8);
String adaptedOobFileContent = oobFileContent.replace("$TARGET_URL$", triggerLink);
File userContentDir = new File(j.jenkins.getRootDir(), "userContent");
FileUtils.writeStringToFile(new File(userContentDir, "oob.xml"), adaptedOobFileContent);
FreeStyleProject project = j.createFreeStyleProject();
DownloadBuilder builder = new DownloadBuilder();
builder.fileContent = adaptedXxeFileContent;
project.getBuildersList().add(builder);
JUnitResultArchiver publisher = new JUnitResultArchiver("xxe.xml");
project.getPublishersList().add(publisher);
project.scheduleBuild2(0).get();
// UNSTABLE
// assertEquals(Result.SUCCESS, project.scheduleBuild2(0).get().getResult());
YouCannotTriggerMe urlHandler = j.jenkins.getExtensionList(UnprotectedRootAction.class).get(YouCannotTriggerMe.class);
assertEquals(0, urlHandler.triggerCount);
}
Example #3
| Source File: EndpointTest.java From github-branch-source-plugin with MIT License | 4 votes |
|
static TestRoot get() {
return ExtensionList.lookup(UnprotectedRootAction.class).get(TestRoot.class);
}
