|
45 | 45 | import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript; |
46 | 46 | import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.TestGroovyRecorder; |
47 | 47 | import org.jenkinsci.plugins.scriptsecurity.scripts.languages.GroovyLanguage; |
48 | | -import org.jetbrains.annotations.NotNull; |
| 48 | +import edu.umd.cs.findbugs.annotations.NonNull; |
49 | 49 | import org.junit.Rule; |
50 | 50 | import org.junit.Test; |
51 | 51 | import org.jvnet.hudson.test.Issue; |
@@ -133,19 +133,26 @@ public void malformedScriptApproval() throws Exception { |
133 | 133 |
|
134 | 134 | @Issue("SECURITY-1866") |
135 | 135 | @Test public void classpathEntriesEscaped() throws Exception { |
136 | | - // Add pending classpath entry. |
137 | | - final UnapprovedClasspathException e = assertThrows(UnapprovedClasspathException.class, () -> |
138 | | - ScriptApproval.get().using(new ClasspathEntry("https://www.example.com/#value=Hack<img id='xss' src=x onerror=alert(123)>Hack"))); |
| 136 | + HttpServer mockJarServer = createAndStartMockJarHttpServer(); |
| 137 | + String mockJarUrl = "http:/" + mockJarServer.getAddress() + "/library.jar#value=Hack<img id='xss' src=x onerror=alert(123)>Hack"; |
139 | 138 |
|
140 | | - // Check for XSS in pending approvals. |
141 | | - JenkinsRule.WebClient wc = r.createWebClient(); |
142 | | - HtmlPage approvalPage = wc.goTo("scriptApproval"); |
143 | | - assertThat(approvalPage.getElementById("xss"), nullValue()); |
144 | | - // Approve classpath entry. |
145 | | - ScriptApproval.get().approveClasspathEntry(e.getHash()); |
146 | | - // Check for XSS in approved classpath entries. |
147 | | - HtmlPage approvedPage = wc.goTo("scriptApproval"); |
148 | | - assertThat(approvedPage.getElementById("xss"), nullValue()); |
| 139 | + try { |
| 140 | + // Add pending classpath entry. |
| 141 | + final UnapprovedClasspathException e = assertThrows(UnapprovedClasspathException.class, () -> |
| 142 | + ScriptApproval.get().using(new ClasspathEntry(mockJarUrl))); |
| 143 | + |
| 144 | + // Check for XSS in pending approvals. |
| 145 | + JenkinsRule.WebClient wc = r.createWebClient(); |
| 146 | + HtmlPage approvalPage = wc.goTo("scriptApproval"); |
| 147 | + assertThat(approvalPage.getElementById("xss"), nullValue()); |
| 148 | + // Approve classpath entry. |
| 149 | + ScriptApproval.get().approveClasspathEntry(e.getHash()); |
| 150 | + // Check for XSS in approved classpath entries. |
| 151 | + HtmlPage approvedPage = wc.goTo("scriptApproval"); |
| 152 | + assertThat(approvedPage.getElementById("xss"), nullValue()); |
| 153 | + }finally { |
| 154 | + mockJarServer.stop(0); |
| 155 | + } |
149 | 156 | } |
150 | 157 |
|
151 | 158 | @Test public void clearMethodsLifeCycle() throws Exception { |
@@ -296,7 +303,7 @@ public void forceSandboxTests() throws Exception { |
296 | 303 | * as the JAR content. This is useful for tests that require a remote JAR resource. |
297 | 304 | * </p> |
298 | 305 | */ |
299 | | - private static @NotNull HttpServer createAndStartMockJarHttpServer() throws IOException { |
| 306 | + private static @NonNull HttpServer createAndStartMockJarHttpServer() throws IOException { |
300 | 307 | HttpServer mockServer = HttpServer.create(new InetSocketAddress("localhost", 0), 0); |
301 | 308 | mockServer.createContext("/library.jar", exchange -> { |
302 | 309 | byte[] responseBytes = "Mock JAR content".getBytes(StandardCharsets.UTF_8); |
|
0 commit comments