Skip to content

Commit

Permalink
JENKINS-62708 add JCasC support for approved script hashes
Browse files Browse the repository at this point in the history
  • Loading branch information
MarkRx committed Jul 19, 2021
1 parent 2810139 commit ee148dd
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@
import java.util.function.Consumer;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
Expand Down Expand Up @@ -701,6 +702,29 @@ public synchronized String[] getAclApprovedSignatures() {
return aclApprovedSignatures.toArray(new String[aclApprovedSignatures.size()]);
}

@DataBoundSetter
public synchronized void setApprovedScriptHashes(String[] scriptHashes) throws IOException {
Jenkins.getInstance().checkPermission(Jenkins.RUN_SCRIPTS);
approvedScriptHashes.clear();
List<String> goodScriptHashes = new ArrayList<>(scriptHashes.length);
Pattern sha1Pattern = Pattern.compile("^[a-fA-F0-9]{40}$");
for (String scriptHash : scriptHashes) {
if (scriptHash != null && sha1Pattern.matcher(scriptHash).matches()) {
goodScriptHashes.add(scriptHash);
} else {
LOG.warning("Ignoring malformed script hash: " + scriptHash);
}
}
approvedScriptHashes.addAll(goodScriptHashes);
save();
reconfigure();
}

@Restricted(NoExternalUse.class) // Jelly, implementation
public synchronized String[] getApprovedScriptHashes() {
return approvedScriptHashes.toArray(new String[approvedScriptHashes.size()]);
}

@Restricted(NoExternalUse.class) // implementation
@Extension public static final class ApprovedWhitelist extends ProxyWhitelist {
public ApprovedWhitelist() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ public void smokeTestEntry() throws Exception {
String[] approved = ScriptApproval.get().getApprovedSignatures();
assertTrue(approved.length == 1);
assertEquals(approved[0], "method java.net.URI getHost");
String[] approvedScriptHashes = ScriptApproval.get().getApprovedScriptHashes();
assertTrue(approvedScriptHashes.length == 1);
assertEquals(approvedScriptHashes[0], "fccae58c5762bdd15daca97318e9d74333203106");
}

@Test
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -162,15 +162,17 @@ public void malformedScriptApproval() throws Exception {
assertEquals(0, sa.getDangerousApprovedSignatures().length);
}

@Issue("JENKINS-57563")
@LocalData // Just a scriptApproval.xml that whitelists 'staticMethod jenkins.model.Jenkins getInstance'
@Issue({"JENKINS-57563", "JENKINS-62708"})
@LocalData // Just a scriptApproval.xml that whitelists 'staticMethod jenkins.model.Jenkins getInstance' and a script printing all labels
@Test
public void upgradeSmokes() throws Exception {
configureSecurity();
FreeStyleProject p = r.createFreeStyleProject();
p.getPublishersList().add(new TestGroovyRecorder(
new SecureGroovyScript("jenkins.model.Jenkins.instance", true, null)));
r.assertLogNotContains("org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: "
+ "Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance",
p.getPublishersList().add(new TestGroovyRecorder(
new SecureGroovyScript("println(jenkins.model.Jenkins.instance.getLabels())", false, null)));
r.assertLogNotContains("org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for use",
r.assertBuildStatus(Result.SUCCESS, p.scheduleBuild2(0).get()));
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
<?xml version='1.0' encoding='UTF-8'?>
<scriptApproval plugin="[email protected]">
<approvedScriptHashes/>
<approvedScriptHashes>
<string>fccae58c5762bdd15daca97318e9d74333203106</string>
</approvedScriptHashes>
<approvedSignatures>
<string>staticMethod jenkins.model.Jenkins getInstance</string>
</approvedSignatures>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@ security:
scriptApproval:
approvedSignatures:
- method java.net.URI getHost
approvedScriptHashes:
- fccae58c5762bdd15daca97318e9d74333203106
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
approvedScriptHashes:
- "fccae58c5762bdd15daca97318e9d74333203106"
approvedSignatures:
- "method java.net.URI getHost"

0 comments on commit ee148dd

Please sign in to comment.