Skip to content

Commit 6d7adf8

Browse files
refactoring classpathEntriesEscaped test
1 parent 3a3a03e commit 6d7adf8

1 file changed

Lines changed: 21 additions & 14 deletions

File tree

src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java

Lines changed: 21 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@
4545
import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript;
4646
import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.TestGroovyRecorder;
4747
import org.jenkinsci.plugins.scriptsecurity.scripts.languages.GroovyLanguage;
48-
import org.jetbrains.annotations.NotNull;
48+
import edu.umd.cs.findbugs.annotations.NonNull;
4949
import org.junit.Rule;
5050
import org.junit.Test;
5151
import org.jvnet.hudson.test.Issue;
@@ -133,19 +133,26 @@ public void malformedScriptApproval() throws Exception {
133133

134134
@Issue("SECURITY-1866")
135135
@Test public void classpathEntriesEscaped() throws Exception {
136-
// Add pending classpath entry.
137-
final UnapprovedClasspathException e = assertThrows(UnapprovedClasspathException.class, () ->
138-
ScriptApproval.get().using(new ClasspathEntry("https://www.example.com/#value=Hack<img id='xss' src=x onerror=alert(123)>Hack")));
136+
HttpServer mockJarServer = createAndStartMockJarHttpServer();
137+
String mockJarUrl = "http:/" + mockJarServer.getAddress() + "/library.jar#value=Hack<img id='xss' src=x onerror=alert(123)>Hack";
139138

140-
// Check for XSS in pending approvals.
141-
JenkinsRule.WebClient wc = r.createWebClient();
142-
HtmlPage approvalPage = wc.goTo("scriptApproval");
143-
assertThat(approvalPage.getElementById("xss"), nullValue());
144-
// Approve classpath entry.
145-
ScriptApproval.get().approveClasspathEntry(e.getHash());
146-
// Check for XSS in approved classpath entries.
147-
HtmlPage approvedPage = wc.goTo("scriptApproval");
148-
assertThat(approvedPage.getElementById("xss"), nullValue());
139+
try {
140+
// Add pending classpath entry.
141+
final UnapprovedClasspathException e = assertThrows(UnapprovedClasspathException.class, () ->
142+
ScriptApproval.get().using(new ClasspathEntry(mockJarUrl)));
143+
144+
// Check for XSS in pending approvals.
145+
JenkinsRule.WebClient wc = r.createWebClient();
146+
HtmlPage approvalPage = wc.goTo("scriptApproval");
147+
assertThat(approvalPage.getElementById("xss"), nullValue());
148+
// Approve classpath entry.
149+
ScriptApproval.get().approveClasspathEntry(e.getHash());
150+
// Check for XSS in approved classpath entries.
151+
HtmlPage approvedPage = wc.goTo("scriptApproval");
152+
assertThat(approvedPage.getElementById("xss"), nullValue());
153+
}finally {
154+
mockJarServer.stop(0);
155+
}
149156
}
150157

151158
@Test public void clearMethodsLifeCycle() throws Exception {
@@ -296,7 +303,7 @@ public void forceSandboxTests() throws Exception {
296303
* as the JAR content. This is useful for tests that require a remote JAR resource.
297304
* </p>
298305
*/
299-
private static @NotNull HttpServer createAndStartMockJarHttpServer() throws IOException {
306+
private static @NonNull HttpServer createAndStartMockJarHttpServer() throws IOException {
300307
HttpServer mockServer = HttpServer.create(new InetSocketAddress("localhost", 0), 0);
301308
mockServer.createContext("/library.jar", exchange -> {
302309
byte[] responseBytes = "Mock JAR content".getBytes(StandardCharsets.UTF_8);

0 commit comments

Comments
 (0)